Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/aw/safe-outputs-automation.md
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ description: Safe-output reference for workflow dispatch, code scanning, checks,
```yaml
safe-outputs:
create-code-scanning-alert:
max: 50 # Optional: max findings (default: 40)
max: 50 # Optional: max findings (default: unlimited)
driver: "Custom Scanner" # Optional: SARIF tool.driver.name (default: "GitHub Agentic Workflows Security Scanner")
github-token: ${{ secrets.MY_TOKEN }} # Optional: override token for security-events:write
target-repo: "owner/repo" # Optional: cross-repository
Expand Down
2 changes: 1 addition & 1 deletion .github/aw/safe-outputs-content.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ description: Safe-output reference for issue, discussion, comment, and pull requ

`create_issue` output validation requires:
- `body` minimum length: **20** characters
- `body` maximum length: **65000** characters
- `body` maximum length: **65536** characters

**Auto-Expiration**: The `expires` field auto-closes issues after a time period. Supports integers (days) or relative formats (2h, 7d, 2w, 1m, 1y). Generates `agentics-maintenance.yml` workflow that runs at minimum required frequency based on shortest expiration time: 1 day or less → every 2 hours, 2 days → every 6 hours, 3-4 days → every 12 hours, 5+ days → daily.
**Deduplication for Scheduled Workflows**: When `schedule:` is combined with `create-issue`, use `skip-if-match:` in the `on:` block to prevent opening a duplicate issue every run. Pair with `expires:` to clean up stale issues:
Expand Down
1 change: 1 addition & 0 deletions .github/aw/safe-outputs-runtime.md
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@ The `report-incomplete` safe-output is enabled by default and is distinct from `
- `issue-created:` - Custom message when an issue is created. Placeholders: `{item_number}`, `{item_url}`
- `commit-pushed:` - Custom message when a commit is pushed. Placeholders: `{commit_sha}`, `{short_sha}`, `{commit_url}`
- `body-header:` - Custom header text prepended to every message body (issues, comments, PRs, discussions). Placeholders: `{workflow_name}`, `{run_url}`
- `disclosure-header:` - AI authorship disclosure header prepended to every message body. Set to `"true"` for built-in default text, or provide a custom template string. Placeholders: `{workflow_name}`, `{run_url}`
- Example:

```yaml
Expand Down
3 changes: 2 additions & 1 deletion .github/aw/syntax-agentic.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ description: Agentic workflow specific frontmatter fields for GitHub Agentic Wor
- Values limited to 1024 characters
- Example: `metadata: { team: "platform", priority: "high" }`
- **`github-token:`** - GitHub token override (must use `${{ secrets.* }}` syntax). Not a top-level field: set it under `on:` (trigger checks), `tools.github`, or `safe-outputs`.
- **`on.roles:`** - Repository access roles that can trigger workflow (array or `"all"`). Default `[admin, maintainer, write]`; available roles: `admin`, `maintainer`, `write`, `read`, `all`.
- **`on.roles:`** - Repository access roles that can trigger workflow (array or `"all"`). Default `[admin, maintainer, write]`; available roles: `admin`, `maintainer`, `maintain`, `write`, `triage`, `read`, `all`.
- **`on.bots:`** - Bot identifiers allowed to trigger workflow regardless of role permissions (array; e.g. `[dependabot[bot], renovate[bot], github-actions[bot]]`). The bot must be active (installed) on the repository to trigger.
- **`strict:`** - Enable enhanced validation for production workflows (boolean, defaults to `true`; strongly recommended)
- Prefer `strict: true`; `strict: false` is dangerous, should be extremely rare, and must be carefully security reviewed before use
Expand Down Expand Up @@ -307,6 +307,7 @@ description: Agentic workflow specific frontmatter fields for GitHub Agentic Wor
- **`engine.driver:`** — canonical field to run a custom inner driver script instead of the engine's built-in CLI. For the `pi` engine it launches the driver directly with Node.js (e.g. built-in `pi_agent_core_driver.cjs`, or a workspace-relative path like `.github/drivers/pi_agent_core_driver_sample_node.cjs`); the driver must emit JSONL compatible with `parse_pi_log.cjs` so step summaries and token tracking keep working. Accepts a bare basename (resolved from the setup-action directory) or a workspace-relative path; no absolute paths, no `..`, only `.js`/`.cjs`/`.mjs` (pi).
- **`copilot-sdk` / `engine.driver`** (experimental, copilot only): set `copilot-sdk: true` to start a headless Copilot CLI SDK sidecar. Set `driver: <path-or-command>` on the copilot engine to supply a custom SDK driver (`.js`/`.cjs`/`.mjs`/`.py`/`.ts`/`.mts`/`.rb`, or a bare PATH command); this also enables `copilot-sdk: true` automatically. Tune the repeated-tool-denial safeguard with the top-level `max-tool-denials:` field (default `5`).
- **`engine.auth:`** — keyless Workload Identity Federation via the AWF API proxy instead of a static API key; requires `id-token: write`. Set `type: github-oidc` (only supported type) plus `provider: azure` (`azure-tenant-id`, `azure-client-id`, optional `azure-scope`/`azure-cloud`) for Azure OpenAI, or `provider: anthropic` (`federation-rule-id`, `organization-id`, `service-account-id`, `workspace-id`) for Claude. Optional `audience:`. Maps to `AWF_AUTH_*` env vars.
- **Advanced engine sub-fields** (see the `engine_config` definition in `pkg/parser/schemas/main_workflow_schema.json`): `model-provider` (`github` | `anthropic` | `openai`), `harness` (retry policy), engine-level `mcp` (`session-timeout`/`tool-timeout`), `extensions`, and `cwd`.

- **`network:`** - Network access control for AI engines (top-level field)
- String format: `"defaults"` (curated allow-list of development domains)
Expand Down
2 changes: 1 addition & 1 deletion .github/aw/syntax-core.md
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ The YAML frontmatter supports these fields:

- **`permissions:`** - GitHub token permissions
- Object with permission levels: `read`, `none` (and limited `write` for specific scopes)
- Available permissions: `contents`, `issues`, `pull-requests`, `discussions`, `actions`, `checks`, `statuses`, `models`, `deployments`, `security-events`, `copilot-requests`
- Common permission scopes (not exhaustive; standard GitHub Actions scopes plus `models`, `copilot-requests`): `contents`, `issues`, `pull-requests`, `discussions`, `actions`, `checks`, `statuses`, `models`, `deployments`, `security-events`, `packages`, `pages`, `attestations`, `copilot-requests`
- Write permissions are not allowed for security reasons; use `safe-outputs` for write operations instead
- Exceptions: `id-token: write` is allowed to enable OIDC token minting; `copilot-requests: write` is recommended when targeting the Copilot coding agent so it can authenticate with `${{ github.token }}`
- **`runs-on:`** - Runner type for the main agent job (string, array, or object)
Expand Down
Loading