diff --git a/docs/src/content/docs/guides/reusing-workflows.mdx b/docs/src/content/docs/guides/reusing-workflows.mdx index 5ff9cbc7911..2ef6dc26f30 100644 --- a/docs/src/content/docs/guides/reusing-workflows.mdx +++ b/docs/src/content/docs/guides/reusing-workflows.mdx @@ -27,12 +27,12 @@ gh aw add-wizard https://github.com/githubnext/agentics/blob/main/workflows/dail gh aw add-wizard githubnext/agentics/daily-repo-status # Skip the API key prompt when a secret is already configured -gh aw add-wizard githubnext/agentics/daily-repo-status --skip-secret +gh aw add-wizard githubnext/agentics/daily-repo-status --no-secret ``` This checks requirements, adds the workflow markdown file to your repository, and generates the corresponding YAML workflow. After adding, commit and push the changes to your repository. -The `--skip-secret` flag bypasses the interactive API key prompt. Use it when the required secret (e.g., `COPILOT_GITHUB_TOKEN`) is already configured at the organization or repository level. +The `--no-secret` flag bypasses the interactive API key prompt. Use it when the required secret (e.g., `COPILOT_GITHUB_TOKEN`) is already configured at the organization or repository level. For non-interactive installation, use `gh aw add` with optional versioning. By default this looks in the `workflows/` directory, but you can specify an explicit path if needed: diff --git a/docs/src/content/docs/setup/cli.md b/docs/src/content/docs/setup/cli.md index d9bd6dab3b7..93aa598ba4f 100644 --- a/docs/src/content/docs/setup/cli.md +++ b/docs/src/content/docs/setup/cli.md @@ -154,10 +154,10 @@ Add a workflow with interactive guided setup. Checks requirements, adds the mark gh aw add-wizard githubnext/agentics/ci-doctor # Interactive setup gh aw add-wizard https://github.com/org/repo/blob/main/workflows/my-workflow.md gh aw add-wizard https://example.com/workflows/my-workflow.json # Arbitrary URL (JSON workflow) -gh aw add-wizard githubnext/agentics/ci-doctor --skip-secret # Skip secret prompt +gh aw add-wizard githubnext/agentics/ci-doctor --no-secret # Skip secret prompt ``` -**Options:** `--skip-secret`, `--dir/-d`, `--engine/-e`, `--no-gitattributes`, `--no-stop-after`, `--stop-after` +**Options:** `--no-secret`, `--dir/-d`, `--engine/-e`, `--no-gitattributes`, `--no-stop-after`, `--stop-after` When the Copilot engine is selected, the wizard prompts the user to choose an authentication method: organization billing via [`permissions.copilot-requests: write`](/gh-aw/reference/auth/#copilot-requests-write-permission) (no PAT required), or a [`COPILOT_GITHUB_TOKEN`](/gh-aw/reference/auth/#copilot_github_token) personal access token. Selecting org billing injects the `copilot-requests: write` permission into the workflow frontmatter and skips the API key secret prompt. @@ -174,7 +174,7 @@ gh aw add https://example.com/workflows/my-workflow.md # Arbitrary gh aw add https://example.com/workflows/my-workflow.json # Arbitrary HTTPS URL (JSON workflow definition) ``` -**Options:** `--dir/-d`, `--create-pull-request`, `--no-gitattributes`, `--append`, `--disable-security-scanner`, `--engine/-e`, `--force/-f`, `--name/-n`, `--no-stop-after`, `--stop-after` +**Options:** `--dir/-d`, `--create-pull-request`, `--no-gitattributes`, `--append`, `--no-security-scanner`, `--engine/-e`, `--force/-f`, `--name/-n`, `--no-stop-after`, `--stop-after` Repository-level packages can declare an [`aw.yml` manifest](/gh-aw/reference/aw-yml-package-manifest/) at the repository root or in a nested package folder to define installable files, package `README.md`, schema compatibility, and minimum supported CLI versions. @@ -356,7 +356,7 @@ gh aw trial ./workflow.md --host-repo owner/repo # Run directly in repository gh aw trial ./workflow.md --dry-run # Preview without executing ``` -**Options:** `-e/--engine`, `--repeat`, `--delete-host-repo-after`, `--logical-repo/-l`, `--clone-repo`, `--trigger-context`, `--host-repo`, `--dry-run`, `--append`, `--auto-merge-prs`, `--disable-security-scanner`, `--force-delete-host-repo-before`, `--json/-j`, `--timeout`, `--yes/-y` +**Options:** `-e/--engine`, `--repeat`, `--delete-host-repo-after`, `--logical-repo/-l`, `--clone-repo`, `--trigger-context`, `--host-repo`, `--dry-run`, `--append`, `--auto-merge-prs`, `--no-security-scanner`, `--force-delete-host-repo-before`, `--json/-j`, `--timeout`, `--yes/-y` **Secret Handling:** API keys required for the selected engine are automatically checked. If missing from the target repository, they are prompted for interactively and uploaded. @@ -466,7 +466,7 @@ echo "1234567890" | gh aw logs --stdin --engine claude cat run-ids.txt | gh aw logs --stdin --repo owner/repo # required for bare numeric IDs ``` -**Options:** `--after-run-id`, `--artifacts`, `--before-run-id`, `--cache-before`, `--count/-c`, `--end-date`, `--engine/-e`, `--filtered-integrity`, `--firewall`, `--format`, `--json/-j`, `--last`, `--no-firewall`, `--no-staged`, `--output/-o`, `--parse`, `--ref`, `--repo/-r`, `--safe-output`, `--start-date`, `--stdin`, `--summary-file`, `--timeout`, `--tool-graph`, `--train` +**Options:** `--after-run-id`, `--artifacts`, `--before-run-id`, `--cache-before`, `--count/-c`, `--end-date`, `--engine/-e`, `--filtered-integrity`, `--firewall`, `--format`, `--json/-j`, `--last`, `--no-firewall`, `--no-staged`, `--output/-o`, `--parse`, `--ref`, `--report-file`, `--repo/-r`, `--safe-output`, `--start-date`, `--stdin`, `--summary-file`, `--timeout`, `--tool-graph`, `--train` #### `audit` @@ -497,7 +497,7 @@ cat run-ids.txt | gh aw audit --stdin --repo owner/repo The `--repo` flag accepts `owner/repo` format and is required when passing a bare numeric run ID without a full URL, allowing the command to locate the correct repository. -The `--artifacts` flag selects which artifact sets to download (default: `usage`). Valid sets include `activation`, `agent`, `all`, `detection`, `experiment`, `firewall`, `github-api`, `mcp`, and `usage`. Use `all` to download the full artifact set. The `--experiment` flag filters to runs that include the named experiment; `--variant` further restricts to a specific variant value and requires `--experiment` to be set. The `--output/-o` flag overrides the output directory. +The `--artifacts` flag selects which artifact sets to download (default: `all`). Valid sets include `activation`, `agent`, `all`, `detection`, `experiment`, `firewall`, `github-api`, `mcp`, and `usage`. Use `all` to download the full artifact set. The `--experiment` flag filters to runs that include the named experiment; `--variant` further restricts to a specific variant value and requires `--experiment` to be set. The `--output/-o` flag overrides the output directory. Logs are saved to `logs/run-{id}/` with filenames indicating the extraction level. Pre-agent failures (integrity filtering, missing secrets, binary install) surface the actual error in `failure_analysis.error_summary`. Invalid run IDs return a human-readable error. @@ -546,6 +546,18 @@ gh aw outcomes 1234567890 --outcomes-dir ./otlp # Write outcome JSONL for OTLP e **Options:** `--json/-j`, `--repo/-r`, `--output/-o`, `--outcomes-dir` +##### `outcomes history` + +Score recent issues and merged pull requests against the objective mapping. Gives a quick local historical view of what kinds of work the repository has been closing or merging under the current objective mapping. + +```bash wrap +gh aw outcomes history # Score recent issues and PRs +gh aw outcomes history --source issues --limit 100 # Only issues, limited to 100 items +gh aw outcomes history --repo owner/repo --json # JSON output for another repo +``` + +**Options:** `--limit`, `--source`, `--json/-j`, `--repo/-r` + #### `health` Display workflow health metrics and success rates. @@ -639,7 +651,7 @@ gh aw remove my-workflow --keep-orphans # Remove but keep orphaned include file Update workflows based on `source` field (`owner/repo/path@ref`). By default, performs a 3-way merge to preserve local changes; use `--no-merge` to override with upstream. Semantic versions update within same major version. -By default, `update` also force-updates all GitHub Actions referenced in your workflows (both in `actions-lock.json` and workflow files) to their latest major version. Use `--disable-release-bump` to restrict force-updates to core `actions/*` actions only. +By default, `update` also force-updates all GitHub Actions referenced in your workflows (both in `actions-lock.json` and workflow files) to their latest major version. Use `--no-release-bump` to restrict force-updates to core `actions/*` actions only. If no workflows in the repository contain a `source` field, the command exits gracefully with an informational message rather than an error. This is expected behavior for repositories that have not yet added updatable workflows. @@ -648,12 +660,12 @@ gh aw update # Update all with source field gh aw update ci-doctor # Update specific workflow (3-way merge) gh aw update ci-doctor --no-merge # Override local changes with upstream gh aw update ci-doctor --major --force # Allow major version updates -gh aw update --disable-release-bump # Update workflows; only force-update core actions/* +gh aw update --no-release-bump # Update workflows; only force-update core actions/* gh aw update --repo owner/repo # Update workflows in another repository gh aw update --create-pull-request # Update and open a pull request ``` -**Options:** `--dir/-d`, `--no-merge`, `--major`, `--force/-f`, `--engine/-e`, `--no-stop-after`, `--stop-after`, `--disable-release-bump`, `--disable-security-scanner`, `--create-pull-request`, `--no-compile`, `--no-redirect`, `--cool-down`, `--repo/-r` +**Options:** `--dir/-d`, `--no-merge`, `--major`, `--force/-f`, `--engine/-e`, `--no-stop-after`, `--stop-after`, `--no-release-bump`, `--no-security-scanner`, `--create-pull-request`, `--no-compile`, `--no-redirect`, `--cool-down`, `--repo/-r` The `--no-redirect` flag causes `update` to fail when the source workflow has a [`redirect`](/gh-aw/reference/frontmatter/) field, rather than following the redirect to its new location. Use this when you want explicit control over redirect handling. @@ -669,7 +681,7 @@ gh aw deploy githubnext/agentics/repo-assist githubnext/agentics/ci-doctor --rep gh aw deploy ./my-workflow.md --repo owner/repo ``` -**Options:** `--repo/-r` (required), `--name/-n`, `--engine/-e`, `--force/-f`, `--append`, `--no-gitattributes`, `--dir/-d`, `--no-stop-after`, `--stop-after`, `--disable-security-scanner`, `--cool-down` +**Options:** `--repo/-r` (required), `--name/-n`, `--engine/-e`, `--force/-f`, `--append`, `--no-gitattributes`, `--dir/-d`, `--no-stop-after`, `--stop-after`, `--no-security-scanner`, `--cool-down` The `--repo` flag is required and accepts `owner/repo` form. The target repository is checked out under `.github/aw/updates/` inside the current working tree, so the command must be run from inside a git repository. Workflows already present in the target with a `source` frontmatter field are refreshed through the update phase and skipped by the add phase to avoid duplicate-add errors. The pull request commit title is `chore: deploy agentic workflows`. The default `--cool-down` value is `7d`. diff --git a/pkg/cli/add_command.go b/pkg/cli/add_command.go index d746b50428e..1e27c801e1d 100644 --- a/pkg/cli/add_command.go +++ b/pkg/cli/add_command.go @@ -115,7 +115,9 @@ Note: For guided interactive setup, use the 'add-wizard' command instead.`, workflowDir, _ := cmd.Flags().GetString("dir") noStopAfter, _ := cmd.Flags().GetBool("no-stop-after") stopAfter, _ := cmd.Flags().GetString("stop-after") - disableSecurityScanner, _ := cmd.Flags().GetBool("disable-security-scanner") + disableSecurityScanner, _ := cmd.Flags().GetBool("no-security-scanner") + disableSecurityScannerLegacy, _ := cmd.Flags().GetBool("disable-security-scanner") + disableSecurityScanner = disableSecurityScanner || disableSecurityScannerLegacy if nameFlag != "" && len(workflows) > 1 { return errors.New("--name flag cannot be used when adding multiple workflows at once") @@ -179,8 +181,10 @@ Note: For guided interactive setup, use the 'add-wizard' command instead.`, // Add stop-after flag to add command cmd.Flags().String("stop-after", "", "Override stop-after value in the workflow (e.g., '+48h', '2025-12-31 23:59:59')") - // Add disable-security-scanner flag to add command + // Add no-security-scanner flag to add command (--disable-security-scanner is kept as an undocumented alias) + cmd.Flags().Bool("no-security-scanner", false, "Disable security scanning of workflow markdown content") cmd.Flags().Bool("disable-security-scanner", false, "Disable security scanning of workflow markdown content") + _ = cmd.Flags().MarkHidden("disable-security-scanner") // Register completions for add command RegisterEngineFlagCompletion(cmd) diff --git a/pkg/cli/add_interactive_engine.go b/pkg/cli/add_interactive_engine.go index cec47c0b319..7d57016c36d 100644 --- a/pkg/cli/add_interactive_engine.go +++ b/pkg/cli/add_interactive_engine.go @@ -144,15 +144,15 @@ func (c *AddInteractiveConfig) selectAIEngineAndKey() error { func (c *AddInteractiveConfig) configureEngineAPISecret(engine string) error { addInteractiveLog.Printf("Collecting API key for engine: %s", engine) - // If --skip-secret flag is set, skip secrets configuration entirely. - // Note: for Copilot workflows, --skip-secret implies the PAT path; users who want - // copilot-requests (org billing) should not pass --skip-secret. + // If --no-secret flag is set, skip secrets configuration entirely. + // Note: for Copilot workflows, --no-secret implies the PAT path; users who want + // copilot-requests (org billing) should not pass --no-secret. if c.SkipSecret { opt := constants.GetEngineOption(engine) if opt != nil { - fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("Skipping %s secret setup (--skip-secret flag set).", opt.SecretName))) + fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("Skipping %s secret setup (--no-secret flag set).", opt.SecretName))) } else { - fmt.Fprintln(os.Stderr, console.FormatInfoMessage("Skipping secret setup (--skip-secret flag set).")) + fmt.Fprintln(os.Stderr, console.FormatInfoMessage("Skipping secret setup (--no-secret flag set).")) } return nil } diff --git a/pkg/cli/add_wizard_command.go b/pkg/cli/add_wizard_command.go index 1139fb84014..35c0835b1b3 100644 --- a/pkg/cli/add_wizard_command.go +++ b/pkg/cli/add_wizard_command.go @@ -52,7 +52,7 @@ Note: To create a new workflow from scratch, use the 'new' command instead.`, ` + string(constants.CLIExtensionPrefix) + ` add-wizard https://example.com/my-workflow.md # Guided setup from any HTTPS URL ` + string(constants.CLIExtensionPrefix) + ` add-wizard https://example.com/workflow.json # Import JSON workflow definition with guided setup ` + string(constants.CLIExtensionPrefix) + ` add-wizard githubnext/agentics/ci-doctor --engine copilot # Pre-select engine - ` + string(constants.CLIExtensionPrefix) + ` add-wizard githubnext/agentics/ci-doctor --skip-secret # Skip secret prompt + ` + string(constants.CLIExtensionPrefix) + ` add-wizard githubnext/agentics/ci-doctor --no-secret # Skip secret prompt `, Args: func(cmd *cobra.Command, args []string) error { if len(args) < 1 { @@ -68,7 +68,9 @@ Note: To create a new workflow from scratch, use the 'new' command instead.`, workflowDir, _ := cmd.Flags().GetString("dir") noStopAfter, _ := cmd.Flags().GetBool("no-stop-after") stopAfter, _ := cmd.Flags().GetString("stop-after") - skipSecret, _ := cmd.Flags().GetBool("skip-secret") + noSecret, _ := cmd.Flags().GetBool("no-secret") + skipSecretLegacy, _ := cmd.Flags().GetBool("skip-secret") + skipSecret := noSecret || skipSecretLegacy addWizardLog.Printf("Starting add-wizard: workflows=%v, engine=%s, verbose=%v", workflows, engineOverride, verbose) @@ -112,8 +114,10 @@ Note: To create a new workflow from scratch, use the 'new' command instead.`, // Add stop-after flag cmd.Flags().String("stop-after", "", "Override stop-after value in the workflow (e.g., '+48h', '2025-12-31 23:59:59')") - // Add skip-secret flag + // Add no-secret flag (--skip-secret is kept as an undocumented alias) + cmd.Flags().Bool("no-secret", false, "Skip the API secret prompt (use when the secret is already set at the org or repo level)") cmd.Flags().Bool("skip-secret", false, "Skip the API secret prompt (use when the secret is already set at the org or repo level)") + _ = cmd.Flags().MarkHidden("skip-secret") // Register completions RegisterEngineFlagCompletion(cmd) diff --git a/pkg/cli/add_wizard_tuistory_integration_test.go b/pkg/cli/add_wizard_tuistory_integration_test.go index bdeba93df39..e7bb9c41238 100644 --- a/pkg/cli/add_wizard_tuistory_integration_test.go +++ b/pkg/cli/add_wizard_tuistory_integration_test.go @@ -103,7 +103,7 @@ func TestTuistoryAddWizardIntegration(t *testing.T) { }() sessionName := fmt.Sprintf("gh-aw-add-wizard-%d", time.Now().UnixNano()) - command := fmt.Sprintf("%s add-wizard ./%s --engine copilot --skip-secret", setup.binaryPath, filepath.Base(setup.workflowPath)) + command := fmt.Sprintf("%s add-wizard ./%s --engine copilot --no-secret", setup.binaryPath, filepath.Base(setup.workflowPath)) launchArgs := []string{ "launch", command, diff --git a/pkg/cli/deploy_command.go b/pkg/cli/deploy_command.go index 21685404580..9d216810f4c 100644 --- a/pkg/cli/deploy_command.go +++ b/pkg/cli/deploy_command.go @@ -95,7 +95,9 @@ func registerDeployFlags(cmd *cobra.Command) { cmd.Flags().StringP("dir", "d", "", "Workflow directory (default: .github/workflows)") cmd.Flags().Bool("no-stop-after", false, "Remove any stop-after field from the workflow") cmd.Flags().String("stop-after", "", "Override stop-after value in the workflow (e.g., '+48h', '2025-12-31 23:59:59')") + cmd.Flags().Bool("no-security-scanner", false, "Disable security scanning of workflow markdown content") cmd.Flags().Bool("disable-security-scanner", false, "Disable security scanning of workflow markdown content") + _ = cmd.Flags().MarkHidden("disable-security-scanner") cmd.Flags().String("cool-down", defaultDeployCooldown, coolDownFlagUsage) RegisterEngineFlagCompletion(cmd) @@ -126,7 +128,9 @@ func parseDeployCommandOptions(cmd *cobra.Command, workflows []string, validateE workflowDir, _ := cmd.Flags().GetString("dir") noStopAfter, _ := cmd.Flags().GetBool("no-stop-after") stopAfter, _ := cmd.Flags().GetString("stop-after") - disableSecurityScanner, _ := cmd.Flags().GetBool("disable-security-scanner") + disableSecurityScanner, _ := cmd.Flags().GetBool("no-security-scanner") + disableSecurityScannerLegacy, _ := cmd.Flags().GetBool("disable-security-scanner") + disableSecurityScanner = disableSecurityScanner || disableSecurityScannerLegacy coolDownStr, _ := cmd.Flags().GetString("cool-down") if nameFlag != "" && len(workflows) > 1 { diff --git a/pkg/cli/deploy_command_test.go b/pkg/cli/deploy_command_test.go index 45ba1968c2b..dddc9d0f2b3 100644 --- a/pkg/cli/deploy_command_test.go +++ b/pkg/cli/deploy_command_test.go @@ -42,7 +42,7 @@ func TestNewDeployCommand_RegistersCoreFlags(t *testing.T) { "dir", "no-stop-after", "stop-after", - "disable-security-scanner", + "no-security-scanner", "cool-down", } diff --git a/pkg/cli/trial_command.go b/pkg/cli/trial_command.go index a8c77a02ca2..1ab09ab3bcf 100644 --- a/pkg/cli/trial_command.go +++ b/pkg/cli/trial_command.go @@ -67,7 +67,9 @@ Trial results are saved both locally (in trials/ directory) and in the host repo engineOverride, _ := cmd.Flags().GetString("engine") appendText, _ := cmd.Flags().GetString("append") verbose, _ := cmd.Root().PersistentFlags().GetBool("verbose") - disableSecurityScanner, _ := cmd.Flags().GetBool("disable-security-scanner") + disableSecurityScanner, _ := cmd.Flags().GetBool("no-security-scanner") + disableSecurityScannerLegacy, _ := cmd.Flags().GetBool("disable-security-scanner") + disableSecurityScanner = disableSecurityScanner || disableSecurityScannerLegacy if err := validateEngine(engineOverride); err != nil { trialLog.Printf("Engine validation failed: engine=%s, err=%v", engineOverride, err) @@ -128,7 +130,9 @@ Trial results are saved both locally (in trials/ directory) and in the host repo addEngineFlag(cmd) addJSONFlag(cmd) cmd.Flags().String("append", "", "Append extra content to the end of agentic workflow on installation") + cmd.Flags().Bool("no-security-scanner", false, "Disable security scanning of workflow markdown content") cmd.Flags().Bool("disable-security-scanner", false, "Disable security scanning of workflow markdown content") + _ = cmd.Flags().MarkHidden("disable-security-scanner") cmd.MarkFlagsMutuallyExclusive("host-repo", "repo") cmd.MarkFlagsMutuallyExclusive("logical-repo", "clone-repo") diff --git a/pkg/cli/update_command.go b/pkg/cli/update_command.go index 75b9ba64864..fd15fe4bd8e 100644 --- a/pkg/cli/update_command.go +++ b/pkg/cli/update_command.go @@ -53,7 +53,7 @@ Note: In GitHub Enterprise repos, shorthand source specs resolve on your enterpr ` + string(constants.CLIExtensionPrefix) + ` update --no-merge # Override local changes with upstream ` + string(constants.CLIExtensionPrefix) + ` update repo-assist --major # Allow major version updates ` + string(constants.CLIExtensionPrefix) + ` update --force # Force update even if no changes - ` + string(constants.CLIExtensionPrefix) + ` update --disable-release-bump # Update without force-bumping all action versions + ` + string(constants.CLIExtensionPrefix) + ` update --no-release-bump # Update without force-bumping all action versions ` + string(constants.CLIExtensionPrefix) + ` update --no-compile # Update without regenerating lock files ` + string(constants.CLIExtensionPrefix) + ` update --no-redirect # Refuse workflows that use redirect frontmatter ` + string(constants.CLIExtensionPrefix) + ` update --dir custom/workflows # Update workflows in custom directory @@ -70,10 +70,14 @@ Note: In GitHub Enterprise repos, shorthand source specs resolve on your enterpr noStopAfter, _ := cmd.Flags().GetBool("no-stop-after") stopAfter, _ := cmd.Flags().GetString("stop-after") noMergeFlag, _ := cmd.Flags().GetBool("no-merge") - disableReleaseBump, _ := cmd.Flags().GetBool("disable-release-bump") + disableReleaseBump, _ := cmd.Flags().GetBool("no-release-bump") + disableReleaseBumpLegacy, _ := cmd.Flags().GetBool("disable-release-bump") + disableReleaseBump = disableReleaseBump || disableReleaseBumpLegacy noCompile, _ := cmd.Flags().GetBool("no-compile") noRedirect, _ := cmd.Flags().GetBool("no-redirect") - disableSecurityScanner, _ := cmd.Flags().GetBool("disable-security-scanner") + disableSecurityScanner, _ := cmd.Flags().GetBool("no-security-scanner") + disableSecurityScannerLegacy, _ := cmd.Flags().GetBool("disable-security-scanner") + disableSecurityScanner = disableSecurityScanner || disableSecurityScannerLegacy createPRFlag, _ := cmd.Flags().GetBool("create-pull-request") prFlagAlias, _ := cmd.Flags().GetBool("pr") createPR := createPRFlag || prFlagAlias @@ -137,8 +141,12 @@ Note: In GitHub Enterprise repos, shorthand source specs resolve on your enterpr cmd.Flags().Bool("no-stop-after", false, "Remove any stop-after field from the workflow") cmd.Flags().String("stop-after", "", "Override stop-after value in the workflow (e.g., '+48h', '2025-12-31 23:59:59')") cmd.Flags().Bool("no-merge", false, "Override local changes with upstream version instead of merging") + cmd.Flags().Bool("no-release-bump", false, "Disable automatic major version bumps for all actions (only core actions/* are force-updated)") cmd.Flags().Bool("disable-release-bump", false, "Disable automatic major version bumps for all actions (only core actions/* are force-updated)") + _ = cmd.Flags().MarkHidden("disable-release-bump") + cmd.Flags().Bool("no-security-scanner", false, "Disable security scanning of workflow markdown content") cmd.Flags().Bool("disable-security-scanner", false, "Disable security scanning of workflow markdown content") + _ = cmd.Flags().MarkHidden("disable-security-scanner") cmd.Flags().Bool("no-compile", false, "Skip recompiling workflows (do not modify lock files)") cmd.Flags().Bool("no-redirect", false, "Refuse updates when redirect frontmatter is present") addRepoFlag(cmd) @@ -168,7 +176,7 @@ func RunUpdateWorkflows(ctx context.Context, opts UpdateWorkflowsOptions) error // Update GitHub Actions versions in actions-lock.json. // By default all actions are updated to the latest major version. - // Pass --disable-release-bump to revert to only forcing updates for core (actions/*) actions. + // Pass --no-release-bump to revert to only forcing updates for core (actions/*) actions. updateLog.Printf("Updating GitHub Actions versions in actions-lock.json: allowMajor=%v, disableReleaseBump=%v", opts.AllowMajor, opts.DisableReleaseBump) if err := UpdateActions(ctx, opts.AllowMajor, opts.Verbose, opts.DisableReleaseBump, opts.CoolDown); err != nil { // Non-fatal: warn but don't fail the update diff --git a/pkg/cli/update_command_test.go b/pkg/cli/update_command_test.go index a59143b53a1..5110ffa1040 100644 --- a/pkg/cli/update_command_test.go +++ b/pkg/cli/update_command_test.go @@ -86,9 +86,13 @@ func TestNewUpdateCommand_HasDisableSecurityScannerFlag(t *testing.T) { cmd := NewUpdateCommand(func(string) error { return nil }) require.NotNil(t, cmd, "update command should be created") - flag := cmd.Flags().Lookup("disable-security-scanner") - require.NotNil(t, flag, "update command should register --disable-security-scanner") + flag := cmd.Flags().Lookup("no-security-scanner") + require.NotNil(t, flag, "update command should register --no-security-scanner") assert.Equal(t, "Disable security scanning of workflow markdown content", flag.Usage, "flag help text should match add/trial wording") + + // Undocumented alias should still be registered + deprecated := cmd.Flags().Lookup("disable-security-scanner") + require.NotNil(t, deprecated, "update command should keep --disable-security-scanner as undocumented alias") } func TestNewUpdateCommand_CoolDownFlagUsage(t *testing.T) { diff --git a/pkg/cli/update_integration_test.go b/pkg/cli/update_integration_test.go index d6b7d3982eb..79cd8c7ba39 100644 --- a/pkg/cli/update_integration_test.go +++ b/pkg/cli/update_integration_test.go @@ -224,7 +224,7 @@ func TestUpdateCommand_HelpText(t *testing.T) { // Should mention merge behavior assert.Contains(t, outputStr, "no-merge", "Help should document --no-merge flag") assert.Contains(t, outputStr, "no-redirect", "Help should document --no-redirect flag") - assert.Contains(t, outputStr, "disable-security-scanner", "Help should document --disable-security-scanner flag") + assert.Contains(t, outputStr, "no-security-scanner", "Help should document --no-security-scanner flag") assert.Contains(t, outputStr, "repo", "Help should document --repo flag") assert.Contains(t, outputStr, "3-way merge", "Help should explain merge behavior")