diff --git a/.github/aw/safe-outputs-automation.md b/.github/aw/safe-outputs-automation.md index 48307829833..349630678c7 100644 --- a/.github/aw/safe-outputs-automation.md +++ b/.github/aw/safe-outputs-automation.md @@ -118,7 +118,7 @@ description: Safe-output reference for workflow dispatch, code scanning, checks, ```yaml safe-outputs: create-code-scanning-alert: - max: 50 # Optional: max findings (default: 40) + max: 50 # Optional: max findings (default: unlimited) driver: "Custom Scanner" # Optional: SARIF tool.driver.name (default: "GitHub Agentic Workflows Security Scanner") github-token: ${{ secrets.MY_TOKEN }} # Optional: override token for security-events:write target-repo: "owner/repo" # Optional: cross-repository diff --git a/.github/aw/safe-outputs-content.md b/.github/aw/safe-outputs-content.md index eb9904ff259..aefdf36a59c 100644 --- a/.github/aw/safe-outputs-content.md +++ b/.github/aw/safe-outputs-content.md @@ -29,7 +29,7 @@ description: Safe-output reference for issue, discussion, comment, and pull requ `create_issue` output validation requires: - `body` minimum length: **20** characters - - `body` maximum length: **65000** characters + - `body` maximum length: **65536** characters **Auto-Expiration**: The `expires` field auto-closes issues after a time period. Supports integers (days) or relative formats (2h, 7d, 2w, 1m, 1y). Generates `agentics-maintenance.yml` workflow that runs at minimum required frequency based on shortest expiration time: 1 day or less → every 2 hours, 2 days → every 6 hours, 3-4 days → every 12 hours, 5+ days → daily. **Deduplication for Scheduled Workflows**: When `schedule:` is combined with `create-issue`, use `skip-if-match:` in the `on:` block to prevent opening a duplicate issue every run. Pair with `expires:` to clean up stale issues: diff --git a/.github/aw/safe-outputs-runtime.md b/.github/aw/safe-outputs-runtime.md index 2f7a2167ef5..6939eb173cc 100644 --- a/.github/aw/safe-outputs-runtime.md +++ b/.github/aw/safe-outputs-runtime.md @@ -124,6 +124,7 @@ The `report-incomplete` safe-output is enabled by default and is distinct from ` - `issue-created:` - Custom message when an issue is created. Placeholders: `{item_number}`, `{item_url}` - `commit-pushed:` - Custom message when a commit is pushed. Placeholders: `{commit_sha}`, `{short_sha}`, `{commit_url}` - `body-header:` - Custom header text prepended to every message body (issues, comments, PRs, discussions). Placeholders: `{workflow_name}`, `{run_url}` + - `disclosure-header:` - AI authorship disclosure header prepended to every message body. Set to `"true"` for built-in default text, or provide a custom template string. Placeholders: `{workflow_name}`, `{run_url}` - Example: ```yaml diff --git a/.github/aw/syntax-agentic.md b/.github/aw/syntax-agentic.md index a2ad53c8f2b..7c16ca7257b 100644 --- a/.github/aw/syntax-agentic.md +++ b/.github/aw/syntax-agentic.md @@ -17,7 +17,7 @@ description: Agentic workflow specific frontmatter fields for GitHub Agentic Wor - Values limited to 1024 characters - Example: `metadata: { team: "platform", priority: "high" }` - **`github-token:`** - GitHub token override (must use `${{ secrets.* }}` syntax). Not a top-level field: set it under `on:` (trigger checks), `tools.github`, or `safe-outputs`. -- **`on.roles:`** - Repository access roles that can trigger workflow (array or `"all"`). Default `[admin, maintainer, write]`; available roles: `admin`, `maintainer`, `write`, `read`, `all`. +- **`on.roles:`** - Repository access roles that can trigger workflow (array or `"all"`). Default `[admin, maintainer, write]`; available roles: `admin`, `maintainer`, `maintain`, `write`, `triage`, `read`, `all`. - **`on.bots:`** - Bot identifiers allowed to trigger workflow regardless of role permissions (array; e.g. `[dependabot[bot], renovate[bot], github-actions[bot]]`). The bot must be active (installed) on the repository to trigger. - **`strict:`** - Enable enhanced validation for production workflows (boolean, defaults to `true`; strongly recommended) - Prefer `strict: true`; `strict: false` is dangerous, should be extremely rare, and must be carefully security reviewed before use @@ -307,6 +307,7 @@ description: Agentic workflow specific frontmatter fields for GitHub Agentic Wor - **`engine.driver:`** — canonical field to run a custom inner driver script instead of the engine's built-in CLI. For the `pi` engine it launches the driver directly with Node.js (e.g. built-in `pi_agent_core_driver.cjs`, or a workspace-relative path like `.github/drivers/pi_agent_core_driver_sample_node.cjs`); the driver must emit JSONL compatible with `parse_pi_log.cjs` so step summaries and token tracking keep working. Accepts a bare basename (resolved from the setup-action directory) or a workspace-relative path; no absolute paths, no `..`, only `.js`/`.cjs`/`.mjs` (pi). - **`copilot-sdk` / `engine.driver`** (experimental, copilot only): set `copilot-sdk: true` to start a headless Copilot CLI SDK sidecar. Set `driver: ` on the copilot engine to supply a custom SDK driver (`.js`/`.cjs`/`.mjs`/`.py`/`.ts`/`.mts`/`.rb`, or a bare PATH command); this also enables `copilot-sdk: true` automatically. Tune the repeated-tool-denial safeguard with the top-level `max-tool-denials:` field (default `5`). - **`engine.auth:`** — keyless Workload Identity Federation via the AWF API proxy instead of a static API key; requires `id-token: write`. Set `type: github-oidc` (only supported type) plus `provider: azure` (`azure-tenant-id`, `azure-client-id`, optional `azure-scope`/`azure-cloud`) for Azure OpenAI, or `provider: anthropic` (`federation-rule-id`, `organization-id`, `service-account-id`, `workspace-id`) for Claude. Optional `audience:`. Maps to `AWF_AUTH_*` env vars. + - **Advanced engine sub-fields** (see the `engine_config` definition in `pkg/parser/schemas/main_workflow_schema.json`): `model-provider` (`github` | `anthropic` | `openai`), `harness` (retry policy), engine-level `mcp` (`session-timeout`/`tool-timeout`), `extensions`, and `cwd`. - **`network:`** - Network access control for AI engines (top-level field) - String format: `"defaults"` (curated allow-list of development domains) diff --git a/.github/aw/syntax-core.md b/.github/aw/syntax-core.md index 8248ef5a50e..13f68fa268c 100644 --- a/.github/aw/syntax-core.md +++ b/.github/aw/syntax-core.md @@ -100,7 +100,7 @@ The YAML frontmatter supports these fields: - **`permissions:`** - GitHub token permissions - Object with permission levels: `read`, `none` (and limited `write` for specific scopes) - - Available permissions: `contents`, `issues`, `pull-requests`, `discussions`, `actions`, `checks`, `statuses`, `models`, `deployments`, `security-events`, `copilot-requests` + - Common permission scopes (not exhaustive; standard GitHub Actions scopes plus `models`, `copilot-requests`): `contents`, `issues`, `pull-requests`, `discussions`, `actions`, `checks`, `statuses`, `models`, `deployments`, `security-events`, `packages`, `pages`, `attestations`, `copilot-requests` - Write permissions are not allowed for security reasons; use `safe-outputs` for write operations instead - Exceptions: `id-token: write` is allowed to enable OIDC token minting; `copilot-requests: write` is recommended when targeting the Copilot coding agent so it can authenticate with `${{ github.token }}` - **`runs-on:`** - Runner type for the main agent job (string, array, or object)