From eaa6b2ad19ba4bef69b54fc1e864e2d5ff2c14a8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Dec 2025 21:20:17 +0000 Subject: [PATCH 1/5] Initial plan From 0654f15271fec724e660512881e52a3c8f3fd3f0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Dec 2025 21:26:41 +0000 Subject: [PATCH 2/5] Initial analysis of workflow files for strict mode and awf enablement Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com> --- .github/workflows/audit-workflows.lock.yml | 18 +- .github/workflows/blog-auditor.lock.yml | 18 +- .github/workflows/campaign-generator.lock.yml | 42 ++-- .github/workflows/changeset.lock.yml | 199 ++++++++++++++- .../workflows/cli-version-checker.lock.yml | 18 +- .github/workflows/cloclo.lock.yml | 18 +- .../workflows/close-old-discussions.lock.yml | 177 ++++++++++++- .../commit-changes-analyzer.lock.yml | 18 +- .../workflows/copilot-agent-analysis.lock.yml | 18 +- .../copilot-session-insights.lock.yml | 18 +- .github/workflows/daily-code-metrics.lock.yml | 18 +- .github/workflows/daily-doc-updater.lock.yml | 18 +- .github/workflows/daily-fact.lock.yml | 177 ++++++++++++- .../workflows/daily-issues-report.lock.yml | 177 ++++++++++++- .../daily-multi-device-docs-tester.lock.yml | 18 +- .../daily-performance-summary.lock.yml | 177 ++++++++++++- .github/workflows/deep-report.lock.yml | 177 ++++++++++++- .github/workflows/dev.lock.yml | 234 ++++++++++++++---- .../developer-docs-consolidator.lock.yml | 18 +- .../duplicate-code-detector.lock.yml | 177 ++++++++++++- .../example-workflow-analyzer.lock.yml | 18 +- .../github-mcp-structural-analysis.lock.yml | 18 +- .../github-mcp-tools-report.lock.yml | 14 +- .github/workflows/go-fan.lock.yml | 18 +- ...ze-reduction-project64.campaign.g.lock.yml | 72 ++++-- ...go-file-size-reduction.campaign.g.lock.yml | 72 ++++-- .github/workflows/go-logger.lock.yml | 18 +- .../workflows/go-pattern-detector.lock.yml | 18 +- .../workflows/instructions-janitor.lock.yml | 18 +- .github/workflows/issue-arborist.lock.yml | 177 ++++++++++++- .github/workflows/lockfile-stats.lock.yml | 18 +- .github/workflows/poem-bot.lock.yml | 42 ++-- .../prompt-clustering-analysis.lock.yml | 18 +- .github/workflows/q.lock.yml | 18 +- .github/workflows/safe-output-health.lock.yml | 18 +- .../schema-consistency-checker.lock.yml | 14 +- .github/workflows/scout.lock.yml | 18 +- .github/workflows/security-fix-pr.lock.yml | 18 +- .../semantic-function-refactor.lock.yml | 18 +- .github/workflows/smoke-claude.lock.yml | 18 +- .../workflows/smoke-codex-firewall.lock.yml | 177 ++++++++++++- .github/workflows/smoke-codex.lock.yml | 177 ++++++++++++- .github/workflows/smoke-detector.lock.yml | 18 +- .../workflows/static-analysis-report.lock.yml | 18 +- .github/workflows/sub-issue-closer.lock.yml | 42 ++-- .github/workflows/typist.lock.yml | 18 +- .github/workflows/unbloat-docs.lock.yml | 18 +- .github/workflows/workflow-generator.lock.yml | 112 ++++++--- 48 files changed, 2414 insertions(+), 544 deletions(-) diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 24c23595843..d9f5f1e19ed 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -322,7 +322,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -352,7 +352,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1894,7 +1894,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1933,7 +1933,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Agentic Workflow Audit Agent", experimental: true, supports_tools_allowlist: true, @@ -1950,7 +1950,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1997,7 +1997,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + ''; @@ -5975,9 +5975,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6943,7 +6943,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 6f1834ae51a..85e3ecac1d4 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -255,7 +255,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -285,7 +285,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 docker_pull_with_retry mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | @@ -1795,7 +1795,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1850,7 +1850,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Blog Auditor", experimental: true, supports_tools_allowlist: true, @@ -1867,7 +1867,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","githubnext.com","www.githubnext.com"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1914,7 +1914,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5472,9 +5472,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6426,7 +6426,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/campaign-generator.lock.yml b/.github/workflows/campaign-generator.lock.yml index d8a8899dd66..d72be49b268 100644 --- a/.github/workflows/campaign-generator.lock.yml +++ b/.github/workflows/campaign-generator.lock.yml @@ -287,7 +287,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -331,7 +331,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1887,7 +1887,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "tools": ["*"], "env": { @@ -1936,7 +1936,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.369", + agent_version: "0.0.371", workflow_name: "Campaign Generator", experimental: false, supports_tools_allowlist: true, @@ -1953,7 +1953,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -2000,7 +2000,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5574,9 +5574,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6561,7 +6561,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -7522,7 +7522,7 @@ jobs: }; EOF_4d21ccbd - cat > /tmp/gh-aw/scripts/update_runner.cjs << 'EOF_006d32d7' + cat > /tmp/gh-aw/scripts/update_runner.cjs << 'EOF_60283df2' // @ts-check /// @@ -7607,11 +7607,12 @@ jobs: * @param {boolean} params.canUpdateStatus - Whether status updates are allowed * @param {boolean} params.canUpdateTitle - Whether title updates are allowed * @param {boolean} params.canUpdateBody - Whether body updates are allowed + * @param {boolean} [params.canUpdateLabels] - Whether label updates are allowed * @param {boolean} params.supportsStatus - Whether this type supports status * @returns {{hasUpdates: boolean, updateData: any, logMessages: string[]}} */ function buildUpdateData(params) { - const { item, canUpdateStatus, canUpdateTitle, canUpdateBody, supportsStatus } = params; + const { item, canUpdateStatus, canUpdateTitle, canUpdateBody, canUpdateLabels, supportsStatus } = params; /** @type {any} */ const updateData = {}; @@ -7661,6 +7662,17 @@ jobs: } } + // Handle labels update + if (canUpdateLabels && item.labels !== undefined) { + if (Array.isArray(item.labels)) { + updateData.labels = item.labels; + hasUpdates = true; + logMessages.push(`Will update labels to: ${item.labels.join(", ")}`); + } else { + logMessages.push("Invalid labels value: must be an array"); + } + } + return { hasUpdates, updateData, logMessages }; } @@ -7705,12 +7717,13 @@ jobs: const canUpdateStatus = process.env.GH_AW_UPDATE_STATUS === "true"; const canUpdateTitle = process.env.GH_AW_UPDATE_TITLE === "true"; const canUpdateBody = process.env.GH_AW_UPDATE_BODY === "true"; + const canUpdateLabels = process.env.GH_AW_UPDATE_LABELS === "true"; core.info(`Update target configuration: ${updateTarget}`); if (supportsStatus) { - core.info(`Can update status: ${canUpdateStatus}, title: ${canUpdateTitle}, body: ${canUpdateBody}`); + core.info(`Can update status: ${canUpdateStatus}, title: ${canUpdateTitle}, body: ${canUpdateBody}, labels: ${canUpdateLabels}`); } else { - core.info(`Can update title: ${canUpdateTitle}, body: ${canUpdateBody}`); + core.info(`Can update title: ${canUpdateTitle}, body: ${canUpdateBody}, labels: ${canUpdateLabels}`); } // Check context validity @@ -7754,6 +7767,7 @@ jobs: canUpdateStatus, canUpdateTitle, canUpdateBody, + canUpdateLabels, supportsStatus, }); @@ -7875,7 +7889,7 @@ jobs: createGetSummaryLine, }; - EOF_006d32d7 + EOF_60283df2 - name: Assign To Agent id: assign_to_agent if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'assign_to_agent')) diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 9028f71a96c..0993dbd152d 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -988,7 +988,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Install awf binary run: | echo "Installing awf from release: v0.7.0" @@ -1026,7 +1026,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -2600,7 +2600,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ] env_vars = ["GITHUB_PERSONAL_ACCESS_TOKEN"] @@ -2623,7 +2623,7 @@ jobs: engine_name: "Codex", model: "gpt-5-mini", version: "", - agent_version: "0.73.0", + agent_version: "0.75.0", workflow_name: "Changeset Generator", experimental: true, supports_tools_allowlist: true, @@ -2640,7 +2640,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","node"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -2687,7 +2687,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -6244,9 +6244,168 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; + summary += "
\n"; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `${validAllowedRequests} allowed | `; + summary += `${validDeniedRequests} blocked | `; + summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; + if (uniqueDomainCount > 0) { + summary += "| Domain | Allowed | Denied |\n"; + summary += "|--------|---------|--------|\n"; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + summary += `| ${domain} | ${stats.allowed} | ${stats.denied} |\n`; + } + } else { + summary += "No firewall activity detected.\n"; + } + summary += "\n
\n\n"; + return summary; + } + const isDirectExecution = typeof module === "undefined" || (typeof require !== "undefined" && typeof require.main !== "undefined" && require.main === module); + if (isDirectExecution) { + main(); + } + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 + with: + name: firewall-logs-changeset-generator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore + - name: Parse firewall logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + function sanitizeWorkflowName(name) { + return name + .toLowerCase() + .replace(/[:\\/\s]/g, "-") + .replace(/[^a-z0-9._-]/g, "-"); + } + function main() { + const fs = require("fs"); + const path = require("path"); + try { + const squidLogsDir = `/tmp/gh-aw/sandbox/firewall/logs/`; + if (!fs.existsSync(squidLogsDir)) { + core.info(`No firewall logs directory found at: ${squidLogsDir}`); + return; + } + const files = fs.readdirSync(squidLogsDir).filter(file => file.endsWith(".log")); + if (files.length === 0) { + core.info(`No firewall log files found in: ${squidLogsDir}`); + return; + } + core.info(`Found ${files.length} firewall log file(s)`); + let totalRequests = 0; + let allowedRequests = 0; + let deniedRequests = 0; + const allowedDomains = new Set(); + const deniedDomains = new Set(); + const requestsByDomain = new Map(); + for (const file of files) { + const filePath = path.join(squidLogsDir, file); + core.info(`Parsing firewall log: ${file}`); + const content = fs.readFileSync(filePath, "utf8"); + const lines = content.split("\n").filter(line => line.trim()); + for (const line of lines) { + const entry = parseFirewallLogLine(line); + if (!entry) { + continue; + } + totalRequests++; + const isAllowed = isRequestAllowed(entry.decision, entry.status); + if (isAllowed) { + allowedRequests++; + allowedDomains.add(entry.domain); + } else { + deniedRequests++; + deniedDomains.add(entry.domain); + } + if (!requestsByDomain.has(entry.domain)) { + requestsByDomain.set(entry.domain, { allowed: 0, denied: 0 }); + } + const domainStats = requestsByDomain.get(entry.domain); + if (isAllowed) { + domainStats.allowed++; + } else { + domainStats.denied++; + } + } + } + const summary = generateFirewallSummary({ + totalRequests, + allowedRequests, + deniedRequests, + allowedDomains: Array.from(allowedDomains).sort(), + deniedDomains: Array.from(deniedDomains).sort(), + requestsByDomain, + }); + core.summary.addRaw(summary).write(); + core.info("Firewall log summary generated successfully"); + } catch (error) { + core.setFailed(error instanceof Error ? error : String(error)); + } + } + function parseFirewallLogLine(line) { + const trimmed = line.trim(); + if (!trimmed || trimmed.startsWith("#")) { + return null; + } + const fields = trimmed.match(/(?:[^\s"]+|"[^"]*")+/g); + if (!fields || fields.length < 10) { + return null; + } + const timestamp = fields[0]; + if (!/^\d+(\.\d+)?$/.test(timestamp)) { + return null; + } + return { + timestamp, + clientIpPort: fields[1], + domain: fields[2], + destIpPort: fields[3], + proto: fields[4], + method: fields[5], + status: fields[6], + decision: fields[7], + url: fields[8], + userAgent: fields[9]?.replace(/^"|"$/g, "") || "-", + }; + } + function isRequestAllowed(decision, status) { + const statusCode = parseInt(status, 10); + if (statusCode === 200 || statusCode === 206 || statusCode === 304) { + return true; + } + if (decision.includes("TCP_TUNNEL") || decision.includes("TCP_HIT") || decision.includes("TCP_MISS")) { + return true; + } + if (decision.includes("NONE_NONE") || decision.includes("TCP_DENIED") || statusCode === 403 || statusCode === 407) { + return false; + } + return false; + } + function generateFirewallSummary(analysis) { + const { totalRequests, requestsByDomain } = analysis; + const validDomains = Array.from(requestsByDomain.keys()) + .filter(domain => domain !== "-") + .sort(); + const uniqueDomainCount = validDomains.length; + let validAllowedRequests = 0; + let validDeniedRequests = 0; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + validAllowedRequests += stats.allowed; + validDeniedRequests += stats.denied; + } + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -8269,7 +8428,7 @@ jobs: }; EOF_d0693c3b - cat > /tmp/gh-aw/scripts/update_runner.cjs << 'EOF_006d32d7' + cat > /tmp/gh-aw/scripts/update_runner.cjs << 'EOF_60283df2' // @ts-check /// @@ -8354,11 +8513,12 @@ jobs: * @param {boolean} params.canUpdateStatus - Whether status updates are allowed * @param {boolean} params.canUpdateTitle - Whether title updates are allowed * @param {boolean} params.canUpdateBody - Whether body updates are allowed + * @param {boolean} [params.canUpdateLabels] - Whether label updates are allowed * @param {boolean} params.supportsStatus - Whether this type supports status * @returns {{hasUpdates: boolean, updateData: any, logMessages: string[]}} */ function buildUpdateData(params) { - const { item, canUpdateStatus, canUpdateTitle, canUpdateBody, supportsStatus } = params; + const { item, canUpdateStatus, canUpdateTitle, canUpdateBody, canUpdateLabels, supportsStatus } = params; /** @type {any} */ const updateData = {}; @@ -8408,6 +8568,17 @@ jobs: } } + // Handle labels update + if (canUpdateLabels && item.labels !== undefined) { + if (Array.isArray(item.labels)) { + updateData.labels = item.labels; + hasUpdates = true; + logMessages.push(`Will update labels to: ${item.labels.join(", ")}`); + } else { + logMessages.push("Invalid labels value: must be an array"); + } + } + return { hasUpdates, updateData, logMessages }; } @@ -8452,12 +8623,13 @@ jobs: const canUpdateStatus = process.env.GH_AW_UPDATE_STATUS === "true"; const canUpdateTitle = process.env.GH_AW_UPDATE_TITLE === "true"; const canUpdateBody = process.env.GH_AW_UPDATE_BODY === "true"; + const canUpdateLabels = process.env.GH_AW_UPDATE_LABELS === "true"; core.info(`Update target configuration: ${updateTarget}`); if (supportsStatus) { - core.info(`Can update status: ${canUpdateStatus}, title: ${canUpdateTitle}, body: ${canUpdateBody}`); + core.info(`Can update status: ${canUpdateStatus}, title: ${canUpdateTitle}, body: ${canUpdateBody}, labels: ${canUpdateLabels}`); } else { - core.info(`Can update title: ${canUpdateTitle}, body: ${canUpdateBody}`); + core.info(`Can update title: ${canUpdateTitle}, body: ${canUpdateBody}, labels: ${canUpdateLabels}`); } // Check context validity @@ -8501,6 +8673,7 @@ jobs: canUpdateStatus, canUpdateTitle, canUpdateBody, + canUpdateLabels, supportsStatus, }); @@ -8622,7 +8795,7 @@ jobs: createGetSummaryLine, }; - EOF_006d32d7 + EOF_60283df2 - name: Update Pull Request id: update_pull_request if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'update_pull_request')) diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index edf443f7e6b..97567db2027 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -273,7 +273,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -303,7 +303,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1833,7 +1833,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1872,7 +1872,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "CLI Version Checker", experimental: true, supports_tools_allowlist: true, @@ -1889,7 +1889,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","node","api.github.com","ghcr.io"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1936,7 +1936,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5474,9 +5474,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6432,7 +6432,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 01ffb8598a7..3c1e892a229 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1064,7 +1064,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -1094,7 +1094,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 docker_pull_with_retry mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | @@ -2654,7 +2654,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -2722,7 +2722,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "/cloclo", experimental: true, supports_tools_allowlist: true, @@ -2739,7 +2739,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -2786,7 +2786,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -6342,9 +6342,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -7306,7 +7306,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/close-old-discussions.lock.yml b/.github/workflows/close-old-discussions.lock.yml index 36428eb38f0..aab970964ab 100644 --- a/.github/workflows/close-old-discussions.lock.yml +++ b/.github/workflows/close-old-discussions.lock.yml @@ -279,7 +279,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Install awf binary run: | echo "Installing awf from release: v0.7.0" @@ -317,7 +317,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1839,7 +1839,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests,discussions", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ] env_vars = ["GITHUB_PERSONAL_ACCESS_TOKEN"] @@ -1862,7 +1862,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.73.0", + agent_version: "0.75.0", workflow_name: "Close Outdated Discussions", experimental: true, supports_tools_allowlist: true, @@ -1879,7 +1879,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1926,7 +1926,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5426,9 +5426,168 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; + summary += "
\n"; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `${validAllowedRequests} allowed | `; + summary += `${validDeniedRequests} blocked | `; + summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; + if (uniqueDomainCount > 0) { + summary += "| Domain | Allowed | Denied |\n"; + summary += "|--------|---------|--------|\n"; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + summary += `| ${domain} | ${stats.allowed} | ${stats.denied} |\n`; + } + } else { + summary += "No firewall activity detected.\n"; + } + summary += "\n
\n\n"; + return summary; + } + const isDirectExecution = typeof module === "undefined" || (typeof require !== "undefined" && typeof require.main !== "undefined" && require.main === module); + if (isDirectExecution) { + main(); + } + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 + with: + name: firewall-logs-close-outdated-discussions + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore + - name: Parse firewall logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + function sanitizeWorkflowName(name) { + return name + .toLowerCase() + .replace(/[:\\/\s]/g, "-") + .replace(/[^a-z0-9._-]/g, "-"); + } + function main() { + const fs = require("fs"); + const path = require("path"); + try { + const squidLogsDir = `/tmp/gh-aw/sandbox/firewall/logs/`; + if (!fs.existsSync(squidLogsDir)) { + core.info(`No firewall logs directory found at: ${squidLogsDir}`); + return; + } + const files = fs.readdirSync(squidLogsDir).filter(file => file.endsWith(".log")); + if (files.length === 0) { + core.info(`No firewall log files found in: ${squidLogsDir}`); + return; + } + core.info(`Found ${files.length} firewall log file(s)`); + let totalRequests = 0; + let allowedRequests = 0; + let deniedRequests = 0; + const allowedDomains = new Set(); + const deniedDomains = new Set(); + const requestsByDomain = new Map(); + for (const file of files) { + const filePath = path.join(squidLogsDir, file); + core.info(`Parsing firewall log: ${file}`); + const content = fs.readFileSync(filePath, "utf8"); + const lines = content.split("\n").filter(line => line.trim()); + for (const line of lines) { + const entry = parseFirewallLogLine(line); + if (!entry) { + continue; + } + totalRequests++; + const isAllowed = isRequestAllowed(entry.decision, entry.status); + if (isAllowed) { + allowedRequests++; + allowedDomains.add(entry.domain); + } else { + deniedRequests++; + deniedDomains.add(entry.domain); + } + if (!requestsByDomain.has(entry.domain)) { + requestsByDomain.set(entry.domain, { allowed: 0, denied: 0 }); + } + const domainStats = requestsByDomain.get(entry.domain); + if (isAllowed) { + domainStats.allowed++; + } else { + domainStats.denied++; + } + } + } + const summary = generateFirewallSummary({ + totalRequests, + allowedRequests, + deniedRequests, + allowedDomains: Array.from(allowedDomains).sort(), + deniedDomains: Array.from(deniedDomains).sort(), + requestsByDomain, + }); + core.summary.addRaw(summary).write(); + core.info("Firewall log summary generated successfully"); + } catch (error) { + core.setFailed(error instanceof Error ? error : String(error)); + } + } + function parseFirewallLogLine(line) { + const trimmed = line.trim(); + if (!trimmed || trimmed.startsWith("#")) { + return null; + } + const fields = trimmed.match(/(?:[^\s"]+|"[^"]*")+/g); + if (!fields || fields.length < 10) { + return null; + } + const timestamp = fields[0]; + if (!/^\d+(\.\d+)?$/.test(timestamp)) { + return null; + } + return { + timestamp, + clientIpPort: fields[1], + domain: fields[2], + destIpPort: fields[3], + proto: fields[4], + method: fields[5], + status: fields[6], + decision: fields[7], + url: fields[8], + userAgent: fields[9]?.replace(/^"|"$/g, "") || "-", + }; + } + function isRequestAllowed(decision, status) { + const statusCode = parseInt(status, 10); + if (statusCode === 200 || statusCode === 206 || statusCode === 304) { + return true; + } + if (decision.includes("TCP_TUNNEL") || decision.includes("TCP_HIT") || decision.includes("TCP_MISS")) { + return true; + } + if (decision.includes("NONE_NONE") || decision.includes("TCP_DENIED") || statusCode === 403 || statusCode === 407) { + return false; + } + return false; + } + function generateFirewallSummary(analysis) { + const { totalRequests, requestsByDomain } = analysis; + const validDomains = Array.from(requestsByDomain.keys()) + .filter(domain => domain !== "-") + .sort(); + const uniqueDomainCount = validDomains.length; + let validAllowedRequests = 0; + let validDeniedRequests = 0; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + validAllowedRequests += stats.allowed; + validDeniedRequests += stats.denied; + } + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6384,7 +6543,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index f1da96f7804..33703664257 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -257,7 +257,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -287,7 +287,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1796,7 +1796,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1835,7 +1835,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Commit Changes Analyzer", experimental: true, supports_tools_allowlist: true, @@ -1852,7 +1852,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1899,7 +1899,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5393,9 +5393,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6344,7 +6344,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 21ed5f0de95..6f25ece9596 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -282,7 +282,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -312,7 +312,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1821,7 +1821,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1860,7 +1860,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Copilot Agent PR Analysis", experimental: true, supports_tools_allowlist: true, @@ -1877,7 +1877,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","github"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1924,7 +1924,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5784,9 +5784,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6742,7 +6742,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 6dd6ea140fd..395b9236e7f 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -308,7 +308,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -338,7 +338,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1876,7 +1876,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1915,7 +1915,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Copilot Session Insights", experimental: true, supports_tools_allowlist: true, @@ -1932,7 +1932,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","github","python"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1979,7 +1979,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -6516,9 +6516,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -7481,7 +7481,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 3d2cbd817af..ef1f8f397c0 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -295,7 +295,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -325,7 +325,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1834,7 +1834,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1873,7 +1873,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Daily Code Metrics and Trend Tracking Agent", experimental: true, supports_tools_allowlist: true, @@ -1890,7 +1890,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1937,7 +1937,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -6018,9 +6018,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6979,7 +6979,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index c65b8cb9ac8..dc022e7a490 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -266,7 +266,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -296,7 +296,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1815,7 +1815,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1854,7 +1854,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Daily Documentation Updater", experimental: true, supports_tools_allowlist: true, @@ -1871,7 +1871,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","github"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1918,7 +1918,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5311,9 +5311,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6279,7 +6279,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 227bca5d40c..0621a54545a 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -244,7 +244,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Install awf binary run: | echo "Installing awf from release: v0.7.0" @@ -282,7 +282,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1783,7 +1783,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests,discussions", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ] env_vars = ["GITHUB_PERSONAL_ACCESS_TOKEN"] @@ -1806,7 +1806,7 @@ jobs: engine_name: "Codex", model: "gpt-5-mini", version: "", - agent_version: "0.73.0", + agent_version: "0.75.0", workflow_name: "Daily Fact About gh-aw", experimental: true, supports_tools_allowlist: true, @@ -1823,7 +1823,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1870,7 +1870,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5248,9 +5248,168 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; + summary += "
\n"; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `${validAllowedRequests} allowed | `; + summary += `${validDeniedRequests} blocked | `; + summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; + if (uniqueDomainCount > 0) { + summary += "| Domain | Allowed | Denied |\n"; + summary += "|--------|---------|--------|\n"; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + summary += `| ${domain} | ${stats.allowed} | ${stats.denied} |\n`; + } + } else { + summary += "No firewall activity detected.\n"; + } + summary += "\n
\n\n"; + return summary; + } + const isDirectExecution = typeof module === "undefined" || (typeof require !== "undefined" && typeof require.main !== "undefined" && require.main === module); + if (isDirectExecution) { + main(); + } + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 + with: + name: firewall-logs-daily-fact-about-gh-aw + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore + - name: Parse firewall logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + function sanitizeWorkflowName(name) { + return name + .toLowerCase() + .replace(/[:\\/\s]/g, "-") + .replace(/[^a-z0-9._-]/g, "-"); + } + function main() { + const fs = require("fs"); + const path = require("path"); + try { + const squidLogsDir = `/tmp/gh-aw/sandbox/firewall/logs/`; + if (!fs.existsSync(squidLogsDir)) { + core.info(`No firewall logs directory found at: ${squidLogsDir}`); + return; + } + const files = fs.readdirSync(squidLogsDir).filter(file => file.endsWith(".log")); + if (files.length === 0) { + core.info(`No firewall log files found in: ${squidLogsDir}`); + return; + } + core.info(`Found ${files.length} firewall log file(s)`); + let totalRequests = 0; + let allowedRequests = 0; + let deniedRequests = 0; + const allowedDomains = new Set(); + const deniedDomains = new Set(); + const requestsByDomain = new Map(); + for (const file of files) { + const filePath = path.join(squidLogsDir, file); + core.info(`Parsing firewall log: ${file}`); + const content = fs.readFileSync(filePath, "utf8"); + const lines = content.split("\n").filter(line => line.trim()); + for (const line of lines) { + const entry = parseFirewallLogLine(line); + if (!entry) { + continue; + } + totalRequests++; + const isAllowed = isRequestAllowed(entry.decision, entry.status); + if (isAllowed) { + allowedRequests++; + allowedDomains.add(entry.domain); + } else { + deniedRequests++; + deniedDomains.add(entry.domain); + } + if (!requestsByDomain.has(entry.domain)) { + requestsByDomain.set(entry.domain, { allowed: 0, denied: 0 }); + } + const domainStats = requestsByDomain.get(entry.domain); + if (isAllowed) { + domainStats.allowed++; + } else { + domainStats.denied++; + } + } + } + const summary = generateFirewallSummary({ + totalRequests, + allowedRequests, + deniedRequests, + allowedDomains: Array.from(allowedDomains).sort(), + deniedDomains: Array.from(deniedDomains).sort(), + requestsByDomain, + }); + core.summary.addRaw(summary).write(); + core.info("Firewall log summary generated successfully"); + } catch (error) { + core.setFailed(error instanceof Error ? error : String(error)); + } + } + function parseFirewallLogLine(line) { + const trimmed = line.trim(); + if (!trimmed || trimmed.startsWith("#")) { + return null; + } + const fields = trimmed.match(/(?:[^\s"]+|"[^"]*")+/g); + if (!fields || fields.length < 10) { + return null; + } + const timestamp = fields[0]; + if (!/^\d+(\.\d+)?$/.test(timestamp)) { + return null; + } + return { + timestamp, + clientIpPort: fields[1], + domain: fields[2], + destIpPort: fields[3], + proto: fields[4], + method: fields[5], + status: fields[6], + decision: fields[7], + url: fields[8], + userAgent: fields[9]?.replace(/^"|"$/g, "") || "-", + }; + } + function isRequestAllowed(decision, status) { + const statusCode = parseInt(status, 10); + if (statusCode === 200 || statusCode === 206 || statusCode === 304) { + return true; + } + if (decision.includes("TCP_TUNNEL") || decision.includes("TCP_HIT") || decision.includes("TCP_MISS")) { + return true; + } + if (decision.includes("NONE_NONE") || decision.includes("TCP_DENIED") || statusCode === 403 || statusCode === 407) { + return false; + } + return false; + } + function generateFirewallSummary(analysis) { + const { totalRequests, requestsByDomain } = analysis; + const validDomains = Array.from(requestsByDomain.keys()) + .filter(domain => domain !== "-") + .sort(); + const uniqueDomainCount = validDomains.length; + let validAllowedRequests = 0; + let validDeniedRequests = 0; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + validAllowedRequests += stats.allowed; + validDeniedRequests += stats.denied; + } + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6203,7 +6362,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index a76841daf5b..8b363058198 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -301,7 +301,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Install awf binary run: | echo "Installing awf from release: v0.7.0" @@ -339,7 +339,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1942,7 +1942,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests,discussions", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ] env_vars = ["GITHUB_PERSONAL_ACCESS_TOKEN"] @@ -1965,7 +1965,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.73.0", + agent_version: "0.75.0", workflow_name: "Daily Issues Report Generator", experimental: true, supports_tools_allowlist: true, @@ -1982,7 +1982,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","python"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -2029,7 +2029,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -6413,9 +6413,168 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; + summary += "
\n"; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `${validAllowedRequests} allowed | `; + summary += `${validDeniedRequests} blocked | `; + summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; + if (uniqueDomainCount > 0) { + summary += "| Domain | Allowed | Denied |\n"; + summary += "|--------|---------|--------|\n"; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + summary += `| ${domain} | ${stats.allowed} | ${stats.denied} |\n`; + } + } else { + summary += "No firewall activity detected.\n"; + } + summary += "\n
\n\n"; + return summary; + } + const isDirectExecution = typeof module === "undefined" || (typeof require !== "undefined" && typeof require.main !== "undefined" && require.main === module); + if (isDirectExecution) { + main(); + } + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 + with: + name: firewall-logs-daily-issues-report-generator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore + - name: Parse firewall logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + function sanitizeWorkflowName(name) { + return name + .toLowerCase() + .replace(/[:\\/\s]/g, "-") + .replace(/[^a-z0-9._-]/g, "-"); + } + function main() { + const fs = require("fs"); + const path = require("path"); + try { + const squidLogsDir = `/tmp/gh-aw/sandbox/firewall/logs/`; + if (!fs.existsSync(squidLogsDir)) { + core.info(`No firewall logs directory found at: ${squidLogsDir}`); + return; + } + const files = fs.readdirSync(squidLogsDir).filter(file => file.endsWith(".log")); + if (files.length === 0) { + core.info(`No firewall log files found in: ${squidLogsDir}`); + return; + } + core.info(`Found ${files.length} firewall log file(s)`); + let totalRequests = 0; + let allowedRequests = 0; + let deniedRequests = 0; + const allowedDomains = new Set(); + const deniedDomains = new Set(); + const requestsByDomain = new Map(); + for (const file of files) { + const filePath = path.join(squidLogsDir, file); + core.info(`Parsing firewall log: ${file}`); + const content = fs.readFileSync(filePath, "utf8"); + const lines = content.split("\n").filter(line => line.trim()); + for (const line of lines) { + const entry = parseFirewallLogLine(line); + if (!entry) { + continue; + } + totalRequests++; + const isAllowed = isRequestAllowed(entry.decision, entry.status); + if (isAllowed) { + allowedRequests++; + allowedDomains.add(entry.domain); + } else { + deniedRequests++; + deniedDomains.add(entry.domain); + } + if (!requestsByDomain.has(entry.domain)) { + requestsByDomain.set(entry.domain, { allowed: 0, denied: 0 }); + } + const domainStats = requestsByDomain.get(entry.domain); + if (isAllowed) { + domainStats.allowed++; + } else { + domainStats.denied++; + } + } + } + const summary = generateFirewallSummary({ + totalRequests, + allowedRequests, + deniedRequests, + allowedDomains: Array.from(allowedDomains).sort(), + deniedDomains: Array.from(deniedDomains).sort(), + requestsByDomain, + }); + core.summary.addRaw(summary).write(); + core.info("Firewall log summary generated successfully"); + } catch (error) { + core.setFailed(error instanceof Error ? error : String(error)); + } + } + function parseFirewallLogLine(line) { + const trimmed = line.trim(); + if (!trimmed || trimmed.startsWith("#")) { + return null; + } + const fields = trimmed.match(/(?:[^\s"]+|"[^"]*")+/g); + if (!fields || fields.length < 10) { + return null; + } + const timestamp = fields[0]; + if (!/^\d+(\.\d+)?$/.test(timestamp)) { + return null; + } + return { + timestamp, + clientIpPort: fields[1], + domain: fields[2], + destIpPort: fields[3], + proto: fields[4], + method: fields[5], + status: fields[6], + decision: fields[7], + url: fields[8], + userAgent: fields[9]?.replace(/^"|"$/g, "") || "-", + }; + } + function isRequestAllowed(decision, status) { + const statusCode = parseInt(status, 10); + if (statusCode === 200 || statusCode === 206 || statusCode === 304) { + return true; + } + if (decision.includes("TCP_TUNNEL") || decision.includes("TCP_HIT") || decision.includes("TCP_MISS")) { + return true; + } + if (decision.includes("NONE_NONE") || decision.includes("TCP_DENIED") || statusCode === 403 || statusCode === 407) { + return false; + } + return false; + } + function generateFirewallSummary(analysis) { + const { totalRequests, requestsByDomain } = analysis; + const validDomains = Array.from(requestsByDomain.keys()) + .filter(domain => domain !== "-") + .sort(); + const uniqueDomainCount = validDomains.length; + let validAllowedRequests = 0; + let validDeniedRequests = 0; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + validAllowedRequests += stats.allowed; + validDeniedRequests += stats.denied; + } + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -7381,7 +7540,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 1b019ef7869..2d55bd00b91 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -259,7 +259,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -289,7 +289,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 docker_pull_with_retry mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | @@ -1849,7 +1849,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1904,7 +1904,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Multi-Device Docs Tester", experimental: true, supports_tools_allowlist: true, @@ -1921,7 +1921,7 @@ jobs: network_mode: "defaults", allowed_domains: ["node"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1968,7 +1968,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5293,9 +5293,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6254,7 +6254,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index eeb10be1ed6..5d09c3ea7b5 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -293,7 +293,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Install awf binary run: | echo "Installing awf from release: v0.7.0" @@ -331,7 +331,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -3617,7 +3617,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests,discussions", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ] env_vars = ["GITHUB_PERSONAL_ACCESS_TOKEN"] @@ -3646,7 +3646,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.73.0", + agent_version: "0.75.0", workflow_name: "Daily Project Performance Summary Generator (Using Safe Inputs)", experimental: true, supports_tools_allowlist: true, @@ -3663,7 +3663,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -3710,7 +3710,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -7876,9 +7876,168 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; + summary += "
\n"; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `${validAllowedRequests} allowed | `; + summary += `${validDeniedRequests} blocked | `; + summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; + if (uniqueDomainCount > 0) { + summary += "| Domain | Allowed | Denied |\n"; + summary += "|--------|---------|--------|\n"; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + summary += `| ${domain} | ${stats.allowed} | ${stats.denied} |\n`; + } + } else { + summary += "No firewall activity detected.\n"; + } + summary += "\n
\n\n"; + return summary; + } + const isDirectExecution = typeof module === "undefined" || (typeof require !== "undefined" && typeof require.main !== "undefined" && require.main === module); + if (isDirectExecution) { + main(); + } + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 + with: + name: firewall-logs-daily-project-performance-summary-generator-using-safe-inputs- + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore + - name: Parse firewall logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + function sanitizeWorkflowName(name) { + return name + .toLowerCase() + .replace(/[:\\/\s]/g, "-") + .replace(/[^a-z0-9._-]/g, "-"); + } + function main() { + const fs = require("fs"); + const path = require("path"); + try { + const squidLogsDir = `/tmp/gh-aw/sandbox/firewall/logs/`; + if (!fs.existsSync(squidLogsDir)) { + core.info(`No firewall logs directory found at: ${squidLogsDir}`); + return; + } + const files = fs.readdirSync(squidLogsDir).filter(file => file.endsWith(".log")); + if (files.length === 0) { + core.info(`No firewall log files found in: ${squidLogsDir}`); + return; + } + core.info(`Found ${files.length} firewall log file(s)`); + let totalRequests = 0; + let allowedRequests = 0; + let deniedRequests = 0; + const allowedDomains = new Set(); + const deniedDomains = new Set(); + const requestsByDomain = new Map(); + for (const file of files) { + const filePath = path.join(squidLogsDir, file); + core.info(`Parsing firewall log: ${file}`); + const content = fs.readFileSync(filePath, "utf8"); + const lines = content.split("\n").filter(line => line.trim()); + for (const line of lines) { + const entry = parseFirewallLogLine(line); + if (!entry) { + continue; + } + totalRequests++; + const isAllowed = isRequestAllowed(entry.decision, entry.status); + if (isAllowed) { + allowedRequests++; + allowedDomains.add(entry.domain); + } else { + deniedRequests++; + deniedDomains.add(entry.domain); + } + if (!requestsByDomain.has(entry.domain)) { + requestsByDomain.set(entry.domain, { allowed: 0, denied: 0 }); + } + const domainStats = requestsByDomain.get(entry.domain); + if (isAllowed) { + domainStats.allowed++; + } else { + domainStats.denied++; + } + } + } + const summary = generateFirewallSummary({ + totalRequests, + allowedRequests, + deniedRequests, + allowedDomains: Array.from(allowedDomains).sort(), + deniedDomains: Array.from(deniedDomains).sort(), + requestsByDomain, + }); + core.summary.addRaw(summary).write(); + core.info("Firewall log summary generated successfully"); + } catch (error) { + core.setFailed(error instanceof Error ? error : String(error)); + } + } + function parseFirewallLogLine(line) { + const trimmed = line.trim(); + if (!trimmed || trimmed.startsWith("#")) { + return null; + } + const fields = trimmed.match(/(?:[^\s"]+|"[^"]*")+/g); + if (!fields || fields.length < 10) { + return null; + } + const timestamp = fields[0]; + if (!/^\d+(\.\d+)?$/.test(timestamp)) { + return null; + } + return { + timestamp, + clientIpPort: fields[1], + domain: fields[2], + destIpPort: fields[3], + proto: fields[4], + method: fields[5], + status: fields[6], + decision: fields[7], + url: fields[8], + userAgent: fields[9]?.replace(/^"|"$/g, "") || "-", + }; + } + function isRequestAllowed(decision, status) { + const statusCode = parseInt(status, 10); + if (statusCode === 200 || statusCode === 206 || statusCode === 304) { + return true; + } + if (decision.includes("TCP_TUNNEL") || decision.includes("TCP_HIT") || decision.includes("TCP_MISS")) { + return true; + } + if (decision.includes("NONE_NONE") || decision.includes("TCP_DENIED") || statusCode === 403 || statusCode === 407) { + return false; + } + return false; + } + function generateFirewallSummary(analysis) { + const { totalRequests, requestsByDomain } = analysis; + const validDomains = Array.from(requestsByDomain.keys()) + .filter(domain => domain !== "-") + .sort(); + const uniqueDomainCount = validDomains.length; + let validAllowedRequests = 0; + let validDeniedRequests = 0; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + validAllowedRequests += stats.allowed; + validDeniedRequests += stats.denied; + } + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -8844,7 +9003,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 9facc42777d..cf1867aae98 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -324,7 +324,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Install awf binary run: | echo "Installing awf from release: v0.7.0" @@ -362,7 +362,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1911,7 +1911,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=all", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ] env_vars = ["GITHUB_PERSONAL_ACCESS_TOKEN"] @@ -1934,7 +1934,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.73.0", + agent_version: "0.75.0", workflow_name: "DeepReport - Intelligence Gathering Agent", experimental: true, supports_tools_allowlist: true, @@ -1951,7 +1951,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","python","node"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1998,7 +1998,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5894,9 +5894,168 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; + summary += "
\n"; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `${validAllowedRequests} allowed | `; + summary += `${validDeniedRequests} blocked | `; + summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; + if (uniqueDomainCount > 0) { + summary += "| Domain | Allowed | Denied |\n"; + summary += "|--------|---------|--------|\n"; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + summary += `| ${domain} | ${stats.allowed} | ${stats.denied} |\n`; + } + } else { + summary += "No firewall activity detected.\n"; + } + summary += "\n
\n\n"; + return summary; + } + const isDirectExecution = typeof module === "undefined" || (typeof require !== "undefined" && typeof require.main !== "undefined" && require.main === module); + if (isDirectExecution) { + main(); + } + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 + with: + name: firewall-logs-deepreport-intelligence-gathering-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore + - name: Parse firewall logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + function sanitizeWorkflowName(name) { + return name + .toLowerCase() + .replace(/[:\\/\s]/g, "-") + .replace(/[^a-z0-9._-]/g, "-"); + } + function main() { + const fs = require("fs"); + const path = require("path"); + try { + const squidLogsDir = `/tmp/gh-aw/sandbox/firewall/logs/`; + if (!fs.existsSync(squidLogsDir)) { + core.info(`No firewall logs directory found at: ${squidLogsDir}`); + return; + } + const files = fs.readdirSync(squidLogsDir).filter(file => file.endsWith(".log")); + if (files.length === 0) { + core.info(`No firewall log files found in: ${squidLogsDir}`); + return; + } + core.info(`Found ${files.length} firewall log file(s)`); + let totalRequests = 0; + let allowedRequests = 0; + let deniedRequests = 0; + const allowedDomains = new Set(); + const deniedDomains = new Set(); + const requestsByDomain = new Map(); + for (const file of files) { + const filePath = path.join(squidLogsDir, file); + core.info(`Parsing firewall log: ${file}`); + const content = fs.readFileSync(filePath, "utf8"); + const lines = content.split("\n").filter(line => line.trim()); + for (const line of lines) { + const entry = parseFirewallLogLine(line); + if (!entry) { + continue; + } + totalRequests++; + const isAllowed = isRequestAllowed(entry.decision, entry.status); + if (isAllowed) { + allowedRequests++; + allowedDomains.add(entry.domain); + } else { + deniedRequests++; + deniedDomains.add(entry.domain); + } + if (!requestsByDomain.has(entry.domain)) { + requestsByDomain.set(entry.domain, { allowed: 0, denied: 0 }); + } + const domainStats = requestsByDomain.get(entry.domain); + if (isAllowed) { + domainStats.allowed++; + } else { + domainStats.denied++; + } + } + } + const summary = generateFirewallSummary({ + totalRequests, + allowedRequests, + deniedRequests, + allowedDomains: Array.from(allowedDomains).sort(), + deniedDomains: Array.from(deniedDomains).sort(), + requestsByDomain, + }); + core.summary.addRaw(summary).write(); + core.info("Firewall log summary generated successfully"); + } catch (error) { + core.setFailed(error instanceof Error ? error : String(error)); + } + } + function parseFirewallLogLine(line) { + const trimmed = line.trim(); + if (!trimmed || trimmed.startsWith("#")) { + return null; + } + const fields = trimmed.match(/(?:[^\s"]+|"[^"]*")+/g); + if (!fields || fields.length < 10) { + return null; + } + const timestamp = fields[0]; + if (!/^\d+(\.\d+)?$/.test(timestamp)) { + return null; + } + return { + timestamp, + clientIpPort: fields[1], + domain: fields[2], + destIpPort: fields[3], + proto: fields[4], + method: fields[5], + status: fields[6], + decision: fields[7], + url: fields[8], + userAgent: fields[9]?.replace(/^"|"$/g, "") || "-", + }; + } + function isRequestAllowed(decision, status) { + const statusCode = parseInt(status, 10); + if (statusCode === 200 || statusCode === 206 || statusCode === 304) { + return true; + } + if (decision.includes("TCP_TUNNEL") || decision.includes("TCP_HIT") || decision.includes("TCP_MISS")) { + return true; + } + if (decision.includes("NONE_NONE") || decision.includes("TCP_DENIED") || statusCode === 403 || statusCode === 407) { + return false; + } + return false; + } + function generateFirewallSummary(analysis) { + const { totalRequests, requestsByDomain } = analysis; + const validDomains = Array.from(requestsByDomain.keys()) + .filter(domain => domain !== "-") + .sort(); + const uniqueDomainCount = validDomains.length; + let validAllowedRequests = 0; + let validDeniedRequests = 0; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + validAllowedRequests += stats.allowed; + validDeniedRequests += stats.denied; + } + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6872,7 +7031,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index fb168fe885b..00a614e66aa 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -240,7 +240,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -284,7 +284,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -3157,7 +3157,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=discussions", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "tools": ["*"], "env": { @@ -3220,7 +3220,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.369", + agent_version: "0.0.371", workflow_name: "Dev", experimental: false, supports_tools_allowlist: true, @@ -3237,7 +3237,7 @@ jobs: network_mode: "defaults", allowed_domains: ["api.github.com"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -3284,7 +3284,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -6797,9 +6797,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -7746,7 +7746,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -8404,7 +8404,7 @@ jobs: }; EOF_4d21ccbd - cat > /tmp/gh-aw/scripts/update_runner.cjs << 'EOF_006d32d7' + cat > /tmp/gh-aw/scripts/update_runner.cjs << 'EOF_60283df2' // @ts-check /// @@ -8489,11 +8489,12 @@ jobs: * @param {boolean} params.canUpdateStatus - Whether status updates are allowed * @param {boolean} params.canUpdateTitle - Whether title updates are allowed * @param {boolean} params.canUpdateBody - Whether body updates are allowed + * @param {boolean} [params.canUpdateLabels] - Whether label updates are allowed * @param {boolean} params.supportsStatus - Whether this type supports status * @returns {{hasUpdates: boolean, updateData: any, logMessages: string[]}} */ function buildUpdateData(params) { - const { item, canUpdateStatus, canUpdateTitle, canUpdateBody, supportsStatus } = params; + const { item, canUpdateStatus, canUpdateTitle, canUpdateBody, canUpdateLabels, supportsStatus } = params; /** @type {any} */ const updateData = {}; @@ -8543,6 +8544,17 @@ jobs: } } + // Handle labels update + if (canUpdateLabels && item.labels !== undefined) { + if (Array.isArray(item.labels)) { + updateData.labels = item.labels; + hasUpdates = true; + logMessages.push(`Will update labels to: ${item.labels.join(", ")}`); + } else { + logMessages.push("Invalid labels value: must be an array"); + } + } + return { hasUpdates, updateData, logMessages }; } @@ -8587,12 +8599,13 @@ jobs: const canUpdateStatus = process.env.GH_AW_UPDATE_STATUS === "true"; const canUpdateTitle = process.env.GH_AW_UPDATE_TITLE === "true"; const canUpdateBody = process.env.GH_AW_UPDATE_BODY === "true"; + const canUpdateLabels = process.env.GH_AW_UPDATE_LABELS === "true"; core.info(`Update target configuration: ${updateTarget}`); if (supportsStatus) { - core.info(`Can update status: ${canUpdateStatus}, title: ${canUpdateTitle}, body: ${canUpdateBody}`); + core.info(`Can update status: ${canUpdateStatus}, title: ${canUpdateTitle}, body: ${canUpdateBody}, labels: ${canUpdateLabels}`); } else { - core.info(`Can update title: ${canUpdateTitle}, body: ${canUpdateBody}`); + core.info(`Can update title: ${canUpdateTitle}, body: ${canUpdateBody}, labels: ${canUpdateLabels}`); } // Check context validity @@ -8636,6 +8649,7 @@ jobs: canUpdateStatus, canUpdateTitle, canUpdateBody, + canUpdateLabels, supportsStatus, }); @@ -8757,7 +8771,7 @@ jobs: createGetSummaryLine, }; - EOF_006d32d7 + EOF_60283df2 - name: Update Discussion id: update_discussion if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'update_discussion')) @@ -8788,8 +8802,28 @@ jobs: includeOperation: false, }); async function executeDiscussionUpdate(github, context, discussionNumber, updateData) { - const { _operation, _rawBody, ...fieldsToUpdate } = updateData; - const getDiscussionQuery = ` + const { _operation, _rawBody, labels, ...fieldsToUpdate } = updateData; + const shouldUpdateLabels = process.env.GH_AW_UPDATE_LABELS === "true" && labels !== undefined; + const getDiscussionQuery = shouldUpdateLabels + ? ` + query($owner: String!, $repo: String!, $number: Int!) { + repository(owner: $owner, name: $repo) { + discussion(number: $number) { + id + title + body + url + labels(first: 100) { + nodes { + id + name + } + } + } + } + } + ` + : ` query($owner: String!, $repo: String!, $number: Int!) { repository(owner: $owner, name: $repo) { discussion(number: $number) { @@ -8809,9 +8843,11 @@ jobs: if (!queryResult?.repository?.discussion) { throw new Error(`Discussion #${discussionNumber} not found`); } - const discussionId = queryResult.repository.discussion.id; - if (fieldsToUpdate.title === undefined && fieldsToUpdate.body === undefined) { - throw new Error("At least one field (title or body) must be provided for update"); + const discussion = queryResult.repository.discussion; + const discussionId = discussion.id; + const currentLabels = shouldUpdateLabels ? discussion.labels?.nodes || [] : []; + if (fieldsToUpdate.title === undefined && fieldsToUpdate.body === undefined && !shouldUpdateLabels) { + throw new Error("At least one field (title, body, or labels) must be provided for update"); } if (fieldsToUpdate.body !== undefined) { const workflowName = process.env.GH_AW_WORKFLOW_NAME || "Workflow"; @@ -8826,22 +8862,130 @@ jobs: const footer = generateFooterWithMessages(workflowName, runUrl, workflowSource, workflowSourceURL, triggeringIssueNumber, triggeringPRNumber, triggeringDiscussionNumber); fieldsToUpdate.body = fieldsToUpdate.body + footer; } - const mutationFields = []; - if (fieldsToUpdate.title !== undefined) { - mutationFields.push("title: $title"); + if (fieldsToUpdate.title !== undefined || fieldsToUpdate.body !== undefined) { + const mutationFields = []; + if (fieldsToUpdate.title !== undefined) { + mutationFields.push("title: $title"); + } + if (fieldsToUpdate.body !== undefined) { + mutationFields.push("body: $body"); + } + const updateDiscussionMutation = ` + mutation($discussionId: ID!${fieldsToUpdate.title !== undefined ? ", $title: String!" : ""}${fieldsToUpdate.body !== undefined ? ", $body: String!" : ""}) { + updateDiscussion(input: { + discussionId: $discussionId + ${mutationFields.join("\n ")} + }) { + discussion { + id + number + title + body + url + } + } + } + `; + const variables = { + discussionId: discussionId, + }; + if (fieldsToUpdate.title !== undefined) { + variables.title = fieldsToUpdate.title; + } + if (fieldsToUpdate.body !== undefined) { + variables.body = fieldsToUpdate.body; + } + const mutationResult = await github.graphql(updateDiscussionMutation, variables); + if (!mutationResult?.updateDiscussion?.discussion) { + throw new Error("Failed to update discussion"); + } } - if (fieldsToUpdate.body !== undefined) { - mutationFields.push("body: $body"); - } - const updateDiscussionMutation = ` - mutation($discussionId: ID!${fieldsToUpdate.title !== undefined ? ", $title: String!" : ""}${fieldsToUpdate.body !== undefined ? ", $body: String!" : ""}) { - updateDiscussion(input: { - discussionId: $discussionId - ${mutationFields.join("\n ")} - }) { - discussion { + if (shouldUpdateLabels && Array.isArray(labels)) { + const repoQuery = ` + query($owner: String!, $repo: String!) { + repository(owner: $owner, name: $repo) { + id + labels(first: 100) { + nodes { + id + name + } + } + } + } + `; + const repoResult = await github.graphql(repoQuery, { + owner: context.repo.owner, + repo: context.repo.repo, + }); + if (!repoResult?.repository) { + throw new Error(`Repository ${context.repo.owner}/${context.repo.repo} not found`); + } + const repoLabels = repoResult.repository.labels?.nodes || []; + const labelIds = labels.map(labelName => { + const label = repoLabels.find(l => l.name === labelName); + if (!label) { + throw new Error(`Label "${labelName}" not found in repository`); + } + return label.id; + }); + if (currentLabels.length > 0) { + const removeLabelsMutation = ` + mutation($labelableId: ID!, $labelIds: [ID!]!) { + removeLabelsFromLabelable(input: { + labelableId: $labelableId + labelIds: $labelIds + }) { + clientMutationId + } + } + `; + await github.graphql(removeLabelsMutation, { + labelableId: discussionId, + labelIds: currentLabels.map(l => l.id), + }); + } + if (labelIds.length > 0) { + const addLabelsMutation = ` + mutation($labelableId: ID!, $labelIds: [ID!]!) { + addLabelsToLabelable(input: { + labelableId: $labelableId + labelIds: $labelIds + }) { + clientMutationId + } + } + `; + await github.graphql(addLabelsMutation, { + labelableId: discussionId, + labelIds: labelIds, + }); + } + } + const finalQuery = shouldUpdateLabels + ? ` + query($owner: String!, $repo: String!, $number: Int!) { + repository(owner: $owner, name: $repo) { + discussion(number: $number) { + id + title + body + url + labels(first: 100) { + nodes { + id + name + } + } + } + } + } + ` + : ` + query($owner: String!, $repo: String!, $number: Int!) { + repository(owner: $owner, name: $repo) { + discussion(number: $number) { id - number title body url @@ -8849,23 +8993,15 @@ jobs: } } `; - const variables = { - discussionId: discussionId, - }; - if (fieldsToUpdate.title !== undefined) { - variables.title = fieldsToUpdate.title; - } - if (fieldsToUpdate.body !== undefined) { - variables.body = fieldsToUpdate.body; - } - const mutationResult = await github.graphql(updateDiscussionMutation, variables); - if (!mutationResult?.updateDiscussion?.discussion) { - throw new Error("Failed to update discussion"); - } - const discussion = mutationResult.updateDiscussion.discussion; + const finalQueryResult = await github.graphql(finalQuery, { + owner: context.repo.owner, + repo: context.repo.repo, + number: discussionNumber, + }); + const updatedDiscussion = finalQueryResult.repository.discussion; return { - ...discussion, - html_url: discussion.url, + ...updatedDiscussion, + html_url: updatedDiscussion.url, }; } const getSummaryLine = createGetSummaryLine({ diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 63628e9c8dd..96741703c5a 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -284,7 +284,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -314,7 +314,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1885,7 +1885,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1937,7 +1937,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Developer Documentation Consolidator", experimental: true, supports_tools_allowlist: true, @@ -1954,7 +1954,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","github"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -2001,7 +2001,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5930,9 +5930,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6895,7 +6895,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 0d17c824941..46aece0fda4 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -255,7 +255,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Install awf binary run: | echo "Installing awf from release: v0.7.0" @@ -293,7 +293,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1831,7 +1831,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ] env_vars = ["GITHUB_PERSONAL_ACCESS_TOKEN"] @@ -1867,7 +1867,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.73.0", + agent_version: "0.75.0", workflow_name: "Duplicate Code Detector", experimental: true, supports_tools_allowlist: true, @@ -1884,7 +1884,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1931,7 +1931,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5481,9 +5481,168 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; + summary += "
\n"; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `${validAllowedRequests} allowed | `; + summary += `${validDeniedRequests} blocked | `; + summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; + if (uniqueDomainCount > 0) { + summary += "| Domain | Allowed | Denied |\n"; + summary += "|--------|---------|--------|\n"; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + summary += `| ${domain} | ${stats.allowed} | ${stats.denied} |\n`; + } + } else { + summary += "No firewall activity detected.\n"; + } + summary += "\n
\n\n"; + return summary; + } + const isDirectExecution = typeof module === "undefined" || (typeof require !== "undefined" && typeof require.main !== "undefined" && require.main === module); + if (isDirectExecution) { + main(); + } + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 + with: + name: firewall-logs-duplicate-code-detector + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore + - name: Parse firewall logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + function sanitizeWorkflowName(name) { + return name + .toLowerCase() + .replace(/[:\\/\s]/g, "-") + .replace(/[^a-z0-9._-]/g, "-"); + } + function main() { + const fs = require("fs"); + const path = require("path"); + try { + const squidLogsDir = `/tmp/gh-aw/sandbox/firewall/logs/`; + if (!fs.existsSync(squidLogsDir)) { + core.info(`No firewall logs directory found at: ${squidLogsDir}`); + return; + } + const files = fs.readdirSync(squidLogsDir).filter(file => file.endsWith(".log")); + if (files.length === 0) { + core.info(`No firewall log files found in: ${squidLogsDir}`); + return; + } + core.info(`Found ${files.length} firewall log file(s)`); + let totalRequests = 0; + let allowedRequests = 0; + let deniedRequests = 0; + const allowedDomains = new Set(); + const deniedDomains = new Set(); + const requestsByDomain = new Map(); + for (const file of files) { + const filePath = path.join(squidLogsDir, file); + core.info(`Parsing firewall log: ${file}`); + const content = fs.readFileSync(filePath, "utf8"); + const lines = content.split("\n").filter(line => line.trim()); + for (const line of lines) { + const entry = parseFirewallLogLine(line); + if (!entry) { + continue; + } + totalRequests++; + const isAllowed = isRequestAllowed(entry.decision, entry.status); + if (isAllowed) { + allowedRequests++; + allowedDomains.add(entry.domain); + } else { + deniedRequests++; + deniedDomains.add(entry.domain); + } + if (!requestsByDomain.has(entry.domain)) { + requestsByDomain.set(entry.domain, { allowed: 0, denied: 0 }); + } + const domainStats = requestsByDomain.get(entry.domain); + if (isAllowed) { + domainStats.allowed++; + } else { + domainStats.denied++; + } + } + } + const summary = generateFirewallSummary({ + totalRequests, + allowedRequests, + deniedRequests, + allowedDomains: Array.from(allowedDomains).sort(), + deniedDomains: Array.from(deniedDomains).sort(), + requestsByDomain, + }); + core.summary.addRaw(summary).write(); + core.info("Firewall log summary generated successfully"); + } catch (error) { + core.setFailed(error instanceof Error ? error : String(error)); + } + } + function parseFirewallLogLine(line) { + const trimmed = line.trim(); + if (!trimmed || trimmed.startsWith("#")) { + return null; + } + const fields = trimmed.match(/(?:[^\s"]+|"[^"]*")+/g); + if (!fields || fields.length < 10) { + return null; + } + const timestamp = fields[0]; + if (!/^\d+(\.\d+)?$/.test(timestamp)) { + return null; + } + return { + timestamp, + clientIpPort: fields[1], + domain: fields[2], + destIpPort: fields[3], + proto: fields[4], + method: fields[5], + status: fields[6], + decision: fields[7], + url: fields[8], + userAgent: fields[9]?.replace(/^"|"$/g, "") || "-", + }; + } + function isRequestAllowed(decision, status) { + const statusCode = parseInt(status, 10); + if (statusCode === 200 || statusCode === 206 || statusCode === 304) { + return true; + } + if (decision.includes("TCP_TUNNEL") || decision.includes("TCP_HIT") || decision.includes("TCP_MISS")) { + return true; + } + if (decision.includes("NONE_NONE") || decision.includes("TCP_DENIED") || statusCode === 403 || statusCode === 407) { + return false; + } + return false; + } + function generateFirewallSummary(analysis) { + const { totalRequests, requestsByDomain } = analysis; + const validDomains = Array.from(requestsByDomain.keys()) + .filter(domain => domain !== "-") + .sort(); + const uniqueDomainCount = validDomains.length; + let validAllowedRequests = 0; + let validDeniedRequests = 0; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + validAllowedRequests += stats.allowed; + validDeniedRequests += stats.denied; + } + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6432,7 +6591,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 58408906947..2b2d3d8735e 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -256,7 +256,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -286,7 +286,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -1816,7 +1816,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1855,7 +1855,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Weekly Workflow Analysis", experimental: true, supports_tools_allowlist: true, @@ -1872,7 +1872,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1919,7 +1919,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5142,9 +5142,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6093,7 +6093,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 3b51245ff64..8f9edd03f2b 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -300,7 +300,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -330,7 +330,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1868,7 +1868,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=all", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1907,7 +1907,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "GitHub MCP Structural Analysis", experimental: true, supports_tools_allowlist: true, @@ -1924,7 +1924,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","python"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1971,7 +1971,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5870,9 +5870,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6835,7 +6835,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 26ca19b57cc..7825fda3a33 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -274,7 +274,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1875,7 +1875,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "GitHub MCP Remote Server Tools Report Generator", experimental: true, supports_tools_allowlist: true, @@ -1892,7 +1892,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1939,7 +1939,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5742,9 +5742,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6707,7 +6707,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 276db272b28..b8580010ac1 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -282,7 +282,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -312,7 +312,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1821,7 +1821,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1873,7 +1873,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Go Fan", experimental: true, supports_tools_allowlist: true, @@ -1890,7 +1890,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","github","go"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1937,7 +1937,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5528,9 +5528,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6489,7 +6489,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml b/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml index 80819b97ab5..1b57eae222f 100644 --- a/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml +++ b/.github/workflows/go-file-size-reduction-project64.campaign.g.lock.yml @@ -239,7 +239,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -283,7 +283,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1859,7 +1859,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "tools": ["*"], "env": { @@ -1908,7 +1908,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.369", + agent_version: "0.0.371", workflow_name: "Go File Size Reduction Campaign (Project 64)", experimental: false, supports_tools_allowlist: true, @@ -1925,7 +1925,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1972,7 +1972,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5631,9 +5631,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6579,7 +6579,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -7721,29 +7721,29 @@ jobs: globalThis.io = io; const { loadAgentOutput } = require('/tmp/gh-aw/scripts/load_agent_output.cjs'); function logGraphQLError(error, operation) { - (core.error(`GraphQL Error during: ${operation}`), core.error(`Message: ${error.message}`)); + (core.info(`GraphQL Error during: ${operation}`), core.info(`Message: ${error.message}`)); const errorList = Array.isArray(error.errors) ? error.errors : [], hasInsufficientScopes = errorList.some(e => e && "INSUFFICIENT_SCOPES" === e.type), hasNotFound = errorList.some(e => e && "NOT_FOUND" === e.type); (hasInsufficientScopes - ? core.error( + ? core.info( "This looks like a token permission problem for Projects v2. The GraphQL fields used by update_project require a token with Projects access (classic PAT: scope 'project'; fine-grained PAT: Organization permission 'Projects' and access to the org). Fix: set safe-outputs.update-project.github-token to a secret PAT that can access the target org project." ) : hasNotFound && /projectV2\b/.test(error.message) && - core.error( + core.info( "GitHub returned NOT_FOUND for ProjectV2. This can mean either: (1) the project number is wrong for Projects v2, (2) the project is a classic Projects board (not Projects v2), or (3) the token does not have access to that org/user project." ), error.errors && - (core.error(`Errors array (${error.errors.length} error(s)):`), + (core.info(`Errors array (${error.errors.length} error(s)):`), error.errors.forEach((err, idx) => { - (core.error(` [${idx + 1}] ${err.message}`), - err.type && core.error(` Type: ${err.type}`), - err.path && core.error(` Path: ${JSON.stringify(err.path)}`), - err.locations && core.error(` Locations: ${JSON.stringify(err.locations)}`)); + (core.info(` [${idx + 1}] ${err.message}`), + err.type && core.info(` Type: ${err.type}`), + err.path && core.info(` Path: ${JSON.stringify(err.path)}`), + err.locations && core.info(` Locations: ${JSON.stringify(err.locations)}`)); })), - error.request && core.error(`Request: ${JSON.stringify(error.request, null, 2)}`), - error.data && core.error(`Response data: ${JSON.stringify(error.data, null, 2)}`)); + error.request && core.info(`Request: ${JSON.stringify(error.request, null, 2)}`), + error.data && core.info(`Response data: ${JSON.stringify(error.data, null, 2)}`)); } function parseProjectInput(projectUrl) { if (!projectUrl || "string" != typeof projectUrl) throw new Error(`Invalid project input: expected string, got ${typeof projectUrl}. The "project" field is required and must be a full GitHub project URL.`); @@ -7917,10 +7917,13 @@ jobs: const contentType = "pull_request" === output.content_type ? "PullRequest" : "issue" === output.content_type || output.issue ? "Issue" : "PullRequest", contentQuery = "Issue" === contentType - ? "query($owner: String!, $repo: String!, $number: Int!) {\n repository(owner: $owner, name: $repo) {\n issue(number: $number) {\n id\n }\n }\n }" - : "query($owner: String!, $repo: String!, $number: Int!) {\n repository(owner: $owner, name: $repo) {\n pullRequest(number: $number) {\n id\n }\n }\n }", + ? "query($owner: String!, $repo: String!, $number: Int!) {\n repository(owner: $owner, name: $repo) {\n issue(number: $number) {\n id\n createdAt\n closedAt\n }\n }\n }" + : "query($owner: String!, $repo: String!, $number: Int!) {\n repository(owner: $owner, name: $repo) {\n pullRequest(number: $number) {\n id\n createdAt\n closedAt\n }\n }\n }", contentResult = await github.graphql(contentQuery, { owner, repo, number: contentNumber }), - contentId = "Issue" === contentType ? contentResult.repository.issue.id : contentResult.repository.pullRequest.id, + contentData = "Issue" === contentType ? contentResult.repository.issue : contentResult.repository.pullRequest, + contentId = contentData.id, + createdAt = contentData.createdAt, + closedAt = contentData.closedAt, existingItem = await (async function (projectId, contentId) { let hasNextPage = !0, endCursor = null; @@ -7950,14 +7953,29 @@ jobs: core.warning(`Failed to add campaign label: ${labelError.message}`); } } - if (output.fields && Object.keys(output.fields).length > 0) { + const fieldsToUpdate = output.fields ? { ...output.fields } : {}; + if (createdAt) { + const startDate = new Date(createdAt).toISOString().split("T")[0]; + if (!fieldsToUpdate.start_date && !fieldsToUpdate["Start Date"] && !fieldsToUpdate.StartDate) { + fieldsToUpdate.start_date = startDate; + core.info(`Auto-populating Start Date from createdAt: ${startDate}`); + } + } + if (closedAt) { + const endDate = new Date(closedAt).toISOString().split("T")[0]; + if (!fieldsToUpdate.end_date && !fieldsToUpdate["End Date"] && !fieldsToUpdate.EndDate) { + fieldsToUpdate.end_date = endDate; + core.info(`Auto-populating End Date from closedAt: ${endDate}`); + } + } + if (Object.keys(fieldsToUpdate).length > 0) { const projectFields = ( await github.graphql( - "query($projectId: ID!) {\n node(id: $projectId) {\n ... on ProjectV2 {\n fields(first: 20) {\n nodes {\n ... on ProjectV2Field {\n id\n name\n }\n ... on ProjectV2SingleSelectField {\n id\n name\n options {\n id\n name\n color\n }\n }\n }\n }\n }\n }\n }", + "query($projectId: ID!) {\n node(id: $projectId) {\n ... on ProjectV2 {\n fields(first: 20) {\n nodes {\n ... on ProjectV2Field {\n id\n name\n dataType\n }\n ... on ProjectV2SingleSelectField {\n id\n name\n dataType\n options {\n id\n name\n color\n }\n }\n }\n }\n }\n }\n }", { projectId } ) ).node.fields.nodes; - for (const [fieldName, fieldValue] of Object.entries(output.fields)) { + for (const [fieldName, fieldValue] of Object.entries(fieldsToUpdate)) { const normalizedFieldName = fieldName .split(/[\s_-]+/) .map(word => word.charAt(0).toUpperCase() + word.slice(1).toLowerCase()) @@ -7989,7 +8007,9 @@ jobs: core.warning(`Failed to create field "${fieldName}": ${createError.message}`); continue; } - if (field.options) { + if (field.dataType === "DATE") { + valueToSet = { date: String(fieldValue) }; + } else if (field.options) { let option = field.options.find(o => o.name === fieldValue); if (!option) try { diff --git a/.github/workflows/go-file-size-reduction.campaign.g.lock.yml b/.github/workflows/go-file-size-reduction.campaign.g.lock.yml index 85b2277c0a0..fa3379507f1 100644 --- a/.github/workflows/go-file-size-reduction.campaign.g.lock.yml +++ b/.github/workflows/go-file-size-reduction.campaign.g.lock.yml @@ -239,7 +239,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -283,7 +283,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1859,7 +1859,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "tools": ["*"], "env": { @@ -1908,7 +1908,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.369", + agent_version: "0.0.371", workflow_name: "Go File Size Reduction Campaign", experimental: false, supports_tools_allowlist: true, @@ -1925,7 +1925,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1972,7 +1972,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5631,9 +5631,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6579,7 +6579,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -7721,29 +7721,29 @@ jobs: globalThis.io = io; const { loadAgentOutput } = require('/tmp/gh-aw/scripts/load_agent_output.cjs'); function logGraphQLError(error, operation) { - (core.error(`GraphQL Error during: ${operation}`), core.error(`Message: ${error.message}`)); + (core.info(`GraphQL Error during: ${operation}`), core.info(`Message: ${error.message}`)); const errorList = Array.isArray(error.errors) ? error.errors : [], hasInsufficientScopes = errorList.some(e => e && "INSUFFICIENT_SCOPES" === e.type), hasNotFound = errorList.some(e => e && "NOT_FOUND" === e.type); (hasInsufficientScopes - ? core.error( + ? core.info( "This looks like a token permission problem for Projects v2. The GraphQL fields used by update_project require a token with Projects access (classic PAT: scope 'project'; fine-grained PAT: Organization permission 'Projects' and access to the org). Fix: set safe-outputs.update-project.github-token to a secret PAT that can access the target org project." ) : hasNotFound && /projectV2\b/.test(error.message) && - core.error( + core.info( "GitHub returned NOT_FOUND for ProjectV2. This can mean either: (1) the project number is wrong for Projects v2, (2) the project is a classic Projects board (not Projects v2), or (3) the token does not have access to that org/user project." ), error.errors && - (core.error(`Errors array (${error.errors.length} error(s)):`), + (core.info(`Errors array (${error.errors.length} error(s)):`), error.errors.forEach((err, idx) => { - (core.error(` [${idx + 1}] ${err.message}`), - err.type && core.error(` Type: ${err.type}`), - err.path && core.error(` Path: ${JSON.stringify(err.path)}`), - err.locations && core.error(` Locations: ${JSON.stringify(err.locations)}`)); + (core.info(` [${idx + 1}] ${err.message}`), + err.type && core.info(` Type: ${err.type}`), + err.path && core.info(` Path: ${JSON.stringify(err.path)}`), + err.locations && core.info(` Locations: ${JSON.stringify(err.locations)}`)); })), - error.request && core.error(`Request: ${JSON.stringify(error.request, null, 2)}`), - error.data && core.error(`Response data: ${JSON.stringify(error.data, null, 2)}`)); + error.request && core.info(`Request: ${JSON.stringify(error.request, null, 2)}`), + error.data && core.info(`Response data: ${JSON.stringify(error.data, null, 2)}`)); } function parseProjectInput(projectUrl) { if (!projectUrl || "string" != typeof projectUrl) throw new Error(`Invalid project input: expected string, got ${typeof projectUrl}. The "project" field is required and must be a full GitHub project URL.`); @@ -7917,10 +7917,13 @@ jobs: const contentType = "pull_request" === output.content_type ? "PullRequest" : "issue" === output.content_type || output.issue ? "Issue" : "PullRequest", contentQuery = "Issue" === contentType - ? "query($owner: String!, $repo: String!, $number: Int!) {\n repository(owner: $owner, name: $repo) {\n issue(number: $number) {\n id\n }\n }\n }" - : "query($owner: String!, $repo: String!, $number: Int!) {\n repository(owner: $owner, name: $repo) {\n pullRequest(number: $number) {\n id\n }\n }\n }", + ? "query($owner: String!, $repo: String!, $number: Int!) {\n repository(owner: $owner, name: $repo) {\n issue(number: $number) {\n id\n createdAt\n closedAt\n }\n }\n }" + : "query($owner: String!, $repo: String!, $number: Int!) {\n repository(owner: $owner, name: $repo) {\n pullRequest(number: $number) {\n id\n createdAt\n closedAt\n }\n }\n }", contentResult = await github.graphql(contentQuery, { owner, repo, number: contentNumber }), - contentId = "Issue" === contentType ? contentResult.repository.issue.id : contentResult.repository.pullRequest.id, + contentData = "Issue" === contentType ? contentResult.repository.issue : contentResult.repository.pullRequest, + contentId = contentData.id, + createdAt = contentData.createdAt, + closedAt = contentData.closedAt, existingItem = await (async function (projectId, contentId) { let hasNextPage = !0, endCursor = null; @@ -7950,14 +7953,29 @@ jobs: core.warning(`Failed to add campaign label: ${labelError.message}`); } } - if (output.fields && Object.keys(output.fields).length > 0) { + const fieldsToUpdate = output.fields ? { ...output.fields } : {}; + if (createdAt) { + const startDate = new Date(createdAt).toISOString().split("T")[0]; + if (!fieldsToUpdate.start_date && !fieldsToUpdate["Start Date"] && !fieldsToUpdate.StartDate) { + fieldsToUpdate.start_date = startDate; + core.info(`Auto-populating Start Date from createdAt: ${startDate}`); + } + } + if (closedAt) { + const endDate = new Date(closedAt).toISOString().split("T")[0]; + if (!fieldsToUpdate.end_date && !fieldsToUpdate["End Date"] && !fieldsToUpdate.EndDate) { + fieldsToUpdate.end_date = endDate; + core.info(`Auto-populating End Date from closedAt: ${endDate}`); + } + } + if (Object.keys(fieldsToUpdate).length > 0) { const projectFields = ( await github.graphql( - "query($projectId: ID!) {\n node(id: $projectId) {\n ... on ProjectV2 {\n fields(first: 20) {\n nodes {\n ... on ProjectV2Field {\n id\n name\n }\n ... on ProjectV2SingleSelectField {\n id\n name\n options {\n id\n name\n color\n }\n }\n }\n }\n }\n }\n }", + "query($projectId: ID!) {\n node(id: $projectId) {\n ... on ProjectV2 {\n fields(first: 20) {\n nodes {\n ... on ProjectV2Field {\n id\n name\n dataType\n }\n ... on ProjectV2SingleSelectField {\n id\n name\n dataType\n options {\n id\n name\n color\n }\n }\n }\n }\n }\n }\n }", { projectId } ) ).node.fields.nodes; - for (const [fieldName, fieldValue] of Object.entries(output.fields)) { + for (const [fieldName, fieldValue] of Object.entries(fieldsToUpdate)) { const normalizedFieldName = fieldName .split(/[\s_-]+/) .map(word => word.charAt(0).toUpperCase() + word.slice(1).toLowerCase()) @@ -7989,7 +8007,9 @@ jobs: core.warning(`Failed to create field "${fieldName}": ${createError.message}`); continue; } - if (field.options) { + if (field.dataType === "DATE") { + valueToSet = { date: String(fieldValue) }; + } else if (field.options) { let option = field.options.find(o => o.name === fieldValue); if (!option) try { diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index f6b6b3329dd..b5b7f21f4a7 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -282,7 +282,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -312,7 +312,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1831,7 +1831,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1870,7 +1870,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Go Logger Enhancement", experimental: true, supports_tools_allowlist: true, @@ -1887,7 +1887,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1934,7 +1934,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5389,9 +5389,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6354,7 +6354,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 3eaf35c0d17..d1298f0c25f 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -257,7 +257,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -287,7 +287,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 docker_pull_with_retry mcp/ast-grep:latest - name: Write Safe Outputs Config run: | @@ -1828,7 +1828,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1867,7 +1867,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Go Pattern Detector", experimental: true, supports_tools_allowlist: true, @@ -1884,7 +1884,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1931,7 +1931,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5235,9 +5235,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6220,7 +6220,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 075bdb6418c..c593b90958f 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -266,7 +266,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -296,7 +296,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1815,7 +1815,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1854,7 +1854,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Instructions Janitor", experimental: true, supports_tools_allowlist: true, @@ -1871,7 +1871,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","github"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1918,7 +1918,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5269,9 +5269,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6234,7 +6234,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 1f2e15240d2..fe769093998 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -254,7 +254,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Install awf binary run: | echo "Installing awf from release: v0.7.0" @@ -292,7 +292,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1924,7 +1924,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=issues", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ] env_vars = ["GITHUB_PERSONAL_ACCESS_TOKEN"] @@ -1947,7 +1947,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.73.0", + agent_version: "0.75.0", workflow_name: "Issue Arborist", experimental: true, supports_tools_allowlist: true, @@ -1964,7 +1964,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","github"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -2011,7 +2011,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5551,9 +5551,168 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; + summary += "
\n"; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `${validAllowedRequests} allowed | `; + summary += `${validDeniedRequests} blocked | `; + summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; + if (uniqueDomainCount > 0) { + summary += "| Domain | Allowed | Denied |\n"; + summary += "|--------|---------|--------|\n"; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + summary += `| ${domain} | ${stats.allowed} | ${stats.denied} |\n`; + } + } else { + summary += "No firewall activity detected.\n"; + } + summary += "\n
\n\n"; + return summary; + } + const isDirectExecution = typeof module === "undefined" || (typeof require !== "undefined" && typeof require.main !== "undefined" && require.main === module); + if (isDirectExecution) { + main(); + } + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 + with: + name: firewall-logs-issue-arborist + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore + - name: Parse firewall logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + function sanitizeWorkflowName(name) { + return name + .toLowerCase() + .replace(/[:\\/\s]/g, "-") + .replace(/[^a-z0-9._-]/g, "-"); + } + function main() { + const fs = require("fs"); + const path = require("path"); + try { + const squidLogsDir = `/tmp/gh-aw/sandbox/firewall/logs/`; + if (!fs.existsSync(squidLogsDir)) { + core.info(`No firewall logs directory found at: ${squidLogsDir}`); + return; + } + const files = fs.readdirSync(squidLogsDir).filter(file => file.endsWith(".log")); + if (files.length === 0) { + core.info(`No firewall log files found in: ${squidLogsDir}`); + return; + } + core.info(`Found ${files.length} firewall log file(s)`); + let totalRequests = 0; + let allowedRequests = 0; + let deniedRequests = 0; + const allowedDomains = new Set(); + const deniedDomains = new Set(); + const requestsByDomain = new Map(); + for (const file of files) { + const filePath = path.join(squidLogsDir, file); + core.info(`Parsing firewall log: ${file}`); + const content = fs.readFileSync(filePath, "utf8"); + const lines = content.split("\n").filter(line => line.trim()); + for (const line of lines) { + const entry = parseFirewallLogLine(line); + if (!entry) { + continue; + } + totalRequests++; + const isAllowed = isRequestAllowed(entry.decision, entry.status); + if (isAllowed) { + allowedRequests++; + allowedDomains.add(entry.domain); + } else { + deniedRequests++; + deniedDomains.add(entry.domain); + } + if (!requestsByDomain.has(entry.domain)) { + requestsByDomain.set(entry.domain, { allowed: 0, denied: 0 }); + } + const domainStats = requestsByDomain.get(entry.domain); + if (isAllowed) { + domainStats.allowed++; + } else { + domainStats.denied++; + } + } + } + const summary = generateFirewallSummary({ + totalRequests, + allowedRequests, + deniedRequests, + allowedDomains: Array.from(allowedDomains).sort(), + deniedDomains: Array.from(deniedDomains).sort(), + requestsByDomain, + }); + core.summary.addRaw(summary).write(); + core.info("Firewall log summary generated successfully"); + } catch (error) { + core.setFailed(error instanceof Error ? error : String(error)); + } + } + function parseFirewallLogLine(line) { + const trimmed = line.trim(); + if (!trimmed || trimmed.startsWith("#")) { + return null; + } + const fields = trimmed.match(/(?:[^\s"]+|"[^"]*")+/g); + if (!fields || fields.length < 10) { + return null; + } + const timestamp = fields[0]; + if (!/^\d+(\.\d+)?$/.test(timestamp)) { + return null; + } + return { + timestamp, + clientIpPort: fields[1], + domain: fields[2], + destIpPort: fields[3], + proto: fields[4], + method: fields[5], + status: fields[6], + decision: fields[7], + url: fields[8], + userAgent: fields[9]?.replace(/^"|"$/g, "") || "-", + }; + } + function isRequestAllowed(decision, status) { + const statusCode = parseInt(status, 10); + if (statusCode === 200 || statusCode === 206 || statusCode === 304) { + return true; + } + if (decision.includes("TCP_TUNNEL") || decision.includes("TCP_HIT") || decision.includes("TCP_MISS")) { + return true; + } + if (decision.includes("NONE_NONE") || decision.includes("TCP_DENIED") || statusCode === 403 || statusCode === 407) { + return false; + } + return false; + } + function generateFirewallSummary(analysis) { + const { totalRequests, requestsByDomain } = analysis; + const validDomains = Array.from(requestsByDomain.keys()) + .filter(domain => domain !== "-") + .sort(); + const uniqueDomainCount = validDomains.length; + let validAllowedRequests = 0; + let validDeniedRequests = 0; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + validAllowedRequests += stats.allowed; + validDeniedRequests += stats.denied; + } + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6502,7 +6661,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 4106eeeecbc..58804996dde 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -270,7 +270,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -300,7 +300,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1809,7 +1809,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1848,7 +1848,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Lockfile Statistics Analysis Agent", experimental: true, supports_tools_allowlist: true, @@ -1865,7 +1865,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1912,7 +1912,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5522,9 +5522,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6480,7 +6480,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index f2aa070bbb1..dc89da55306 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -998,7 +998,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1042,7 +1042,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -3068,7 +3068,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "tools": ["*"], "env": { @@ -3117,7 +3117,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: "gpt-5", version: "", - agent_version: "0.0.369", + agent_version: "0.0.371", workflow_name: "Poem Bot - A Creative Agentic Workflow", experimental: false, supports_tools_allowlist: true, @@ -3134,7 +3134,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -3181,7 +3181,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -6834,9 +6834,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -7803,7 +7803,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -10633,7 +10633,7 @@ jobs: }; EOF_4d21ccbd - cat > /tmp/gh-aw/scripts/update_runner.cjs << 'EOF_006d32d7' + cat > /tmp/gh-aw/scripts/update_runner.cjs << 'EOF_60283df2' // @ts-check /// @@ -10718,11 +10718,12 @@ jobs: * @param {boolean} params.canUpdateStatus - Whether status updates are allowed * @param {boolean} params.canUpdateTitle - Whether title updates are allowed * @param {boolean} params.canUpdateBody - Whether body updates are allowed + * @param {boolean} [params.canUpdateLabels] - Whether label updates are allowed * @param {boolean} params.supportsStatus - Whether this type supports status * @returns {{hasUpdates: boolean, updateData: any, logMessages: string[]}} */ function buildUpdateData(params) { - const { item, canUpdateStatus, canUpdateTitle, canUpdateBody, supportsStatus } = params; + const { item, canUpdateStatus, canUpdateTitle, canUpdateBody, canUpdateLabels, supportsStatus } = params; /** @type {any} */ const updateData = {}; @@ -10772,6 +10773,17 @@ jobs: } } + // Handle labels update + if (canUpdateLabels && item.labels !== undefined) { + if (Array.isArray(item.labels)) { + updateData.labels = item.labels; + hasUpdates = true; + logMessages.push(`Will update labels to: ${item.labels.join(", ")}`); + } else { + logMessages.push("Invalid labels value: must be an array"); + } + } + return { hasUpdates, updateData, logMessages }; } @@ -10816,12 +10828,13 @@ jobs: const canUpdateStatus = process.env.GH_AW_UPDATE_STATUS === "true"; const canUpdateTitle = process.env.GH_AW_UPDATE_TITLE === "true"; const canUpdateBody = process.env.GH_AW_UPDATE_BODY === "true"; + const canUpdateLabels = process.env.GH_AW_UPDATE_LABELS === "true"; core.info(`Update target configuration: ${updateTarget}`); if (supportsStatus) { - core.info(`Can update status: ${canUpdateStatus}, title: ${canUpdateTitle}, body: ${canUpdateBody}`); + core.info(`Can update status: ${canUpdateStatus}, title: ${canUpdateTitle}, body: ${canUpdateBody}, labels: ${canUpdateLabels}`); } else { - core.info(`Can update title: ${canUpdateTitle}, body: ${canUpdateBody}`); + core.info(`Can update title: ${canUpdateTitle}, body: ${canUpdateBody}, labels: ${canUpdateLabels}`); } // Check context validity @@ -10865,6 +10878,7 @@ jobs: canUpdateStatus, canUpdateTitle, canUpdateBody, + canUpdateLabels, supportsStatus, }); @@ -10986,7 +11000,7 @@ jobs: createGetSummaryLine, }; - EOF_006d32d7 + EOF_60283df2 - name: Create Issue id: create_issue if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_issue')) diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 6961e6e7b84..f3b1398ee6d 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -343,7 +343,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -373,7 +373,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1886,7 +1886,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=repos,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1925,7 +1925,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Copilot Agent Prompt Clustering Analysis", experimental: true, supports_tools_allowlist: true, @@ -1942,7 +1942,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","github","python"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1989,7 +1989,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -6157,9 +6157,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -7115,7 +7115,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 03e69ac517e..0274cd8d19e 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1045,7 +1045,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1089,7 +1089,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -2653,7 +2653,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions,discussions", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "tools": ["*"], "env": { @@ -2721,7 +2721,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.369", + agent_version: "0.0.371", workflow_name: "Q", experimental: false, supports_tools_allowlist: true, @@ -2738,7 +2738,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -2785,7 +2785,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -6757,9 +6757,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -7718,7 +7718,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index fb5b54e2855..3f39e4b75d8 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -295,7 +295,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -325,7 +325,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1838,7 +1838,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1877,7 +1877,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Safe Output Health Monitor", experimental: true, supports_tools_allowlist: true, @@ -1894,7 +1894,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1941,7 +1941,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5691,9 +5691,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6649,7 +6649,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 29bc0a385c5..111f714b2e0 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -273,7 +273,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1812,7 +1812,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Schema Consistency Checker", experimental: true, supports_tools_allowlist: true, @@ -1829,7 +1829,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1876,7 +1876,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5458,9 +5458,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6416,7 +6416,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 94f08449ded..6d9cbef6b3d 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1055,7 +1055,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -1085,7 +1085,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 docker_pull_with_retry mcp/arxiv-mcp-server docker_pull_with_retry mcp/context7 - name: Write Safe Outputs Config @@ -2609,7 +2609,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -2663,7 +2663,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Scout", experimental: true, supports_tools_allowlist: true, @@ -2680,7 +2680,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -2727,7 +2727,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -6317,9 +6317,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -7274,7 +7274,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 502ead04f2a..2dde2170f9b 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -274,7 +274,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -304,7 +304,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1823,7 +1823,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,code_security,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1862,7 +1862,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Security Fix PR", experimental: true, supports_tools_allowlist: true, @@ -1879,7 +1879,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1926,7 +1926,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5279,9 +5279,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6244,7 +6244,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index d2bad32fcb2..eae41e8b386 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -255,7 +255,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -285,7 +285,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1853,7 +1853,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1892,7 +1892,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Semantic Function Refactoring", experimental: true, supports_tools_allowlist: true, @@ -1909,7 +1909,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1956,7 +1956,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5712,9 +5712,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6663,7 +6663,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 56fb86feda6..b752acbc739 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -694,7 +694,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -724,7 +724,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 docker_pull_with_retry mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | @@ -2330,7 +2330,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=repos,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -2398,7 +2398,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Smoke Claude", experimental: true, supports_tools_allowlist: true, @@ -2415,7 +2415,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","github","playwright"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -2462,7 +2462,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5839,9 +5839,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6796,7 +6796,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/smoke-codex-firewall.lock.yml b/.github/workflows/smoke-codex-firewall.lock.yml index 417ab70cbaa..71a33774980 100644 --- a/.github/workflows/smoke-codex-firewall.lock.yml +++ b/.github/workflows/smoke-codex-firewall.lock.yml @@ -655,7 +655,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Install awf binary run: | echo "Installing awf from release: v0.7.0" @@ -693,7 +693,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -2334,7 +2334,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ] env_vars = ["GITHUB_PERSONAL_ACCESS_TOKEN"] @@ -2357,7 +2357,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.73.0", + agent_version: "0.75.0", workflow_name: "Smoke Codex Firewall", experimental: true, supports_tools_allowlist: true, @@ -2374,7 +2374,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","github"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -2421,7 +2421,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5766,9 +5766,168 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; + summary += "
\n"; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `${validAllowedRequests} allowed | `; + summary += `${validDeniedRequests} blocked | `; + summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; + if (uniqueDomainCount > 0) { + summary += "| Domain | Allowed | Denied |\n"; + summary += "|--------|---------|--------|\n"; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + summary += `| ${domain} | ${stats.allowed} | ${stats.denied} |\n`; + } + } else { + summary += "No firewall activity detected.\n"; + } + summary += "\n
\n\n"; + return summary; + } + const isDirectExecution = typeof module === "undefined" || (typeof require !== "undefined" && typeof require.main !== "undefined" && require.main === module); + if (isDirectExecution) { + main(); + } + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 + with: + name: firewall-logs-smoke-codex-firewall + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore + - name: Parse firewall logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + function sanitizeWorkflowName(name) { + return name + .toLowerCase() + .replace(/[:\\/\s]/g, "-") + .replace(/[^a-z0-9._-]/g, "-"); + } + function main() { + const fs = require("fs"); + const path = require("path"); + try { + const squidLogsDir = `/tmp/gh-aw/sandbox/firewall/logs/`; + if (!fs.existsSync(squidLogsDir)) { + core.info(`No firewall logs directory found at: ${squidLogsDir}`); + return; + } + const files = fs.readdirSync(squidLogsDir).filter(file => file.endsWith(".log")); + if (files.length === 0) { + core.info(`No firewall log files found in: ${squidLogsDir}`); + return; + } + core.info(`Found ${files.length} firewall log file(s)`); + let totalRequests = 0; + let allowedRequests = 0; + let deniedRequests = 0; + const allowedDomains = new Set(); + const deniedDomains = new Set(); + const requestsByDomain = new Map(); + for (const file of files) { + const filePath = path.join(squidLogsDir, file); + core.info(`Parsing firewall log: ${file}`); + const content = fs.readFileSync(filePath, "utf8"); + const lines = content.split("\n").filter(line => line.trim()); + for (const line of lines) { + const entry = parseFirewallLogLine(line); + if (!entry) { + continue; + } + totalRequests++; + const isAllowed = isRequestAllowed(entry.decision, entry.status); + if (isAllowed) { + allowedRequests++; + allowedDomains.add(entry.domain); + } else { + deniedRequests++; + deniedDomains.add(entry.domain); + } + if (!requestsByDomain.has(entry.domain)) { + requestsByDomain.set(entry.domain, { allowed: 0, denied: 0 }); + } + const domainStats = requestsByDomain.get(entry.domain); + if (isAllowed) { + domainStats.allowed++; + } else { + domainStats.denied++; + } + } + } + const summary = generateFirewallSummary({ + totalRequests, + allowedRequests, + deniedRequests, + allowedDomains: Array.from(allowedDomains).sort(), + deniedDomains: Array.from(deniedDomains).sort(), + requestsByDomain, + }); + core.summary.addRaw(summary).write(); + core.info("Firewall log summary generated successfully"); + } catch (error) { + core.setFailed(error instanceof Error ? error : String(error)); + } + } + function parseFirewallLogLine(line) { + const trimmed = line.trim(); + if (!trimmed || trimmed.startsWith("#")) { + return null; + } + const fields = trimmed.match(/(?:[^\s"]+|"[^"]*")+/g); + if (!fields || fields.length < 10) { + return null; + } + const timestamp = fields[0]; + if (!/^\d+(\.\d+)?$/.test(timestamp)) { + return null; + } + return { + timestamp, + clientIpPort: fields[1], + domain: fields[2], + destIpPort: fields[3], + proto: fields[4], + method: fields[5], + status: fields[6], + decision: fields[7], + url: fields[8], + userAgent: fields[9]?.replace(/^"|"$/g, "") || "-", + }; + } + function isRequestAllowed(decision, status) { + const statusCode = parseInt(status, 10); + if (statusCode === 200 || statusCode === 206 || statusCode === 304) { + return true; + } + if (decision.includes("TCP_TUNNEL") || decision.includes("TCP_HIT") || decision.includes("TCP_MISS")) { + return true; + } + if (decision.includes("NONE_NONE") || decision.includes("TCP_DENIED") || statusCode === 403 || statusCode === 407) { + return false; + } + return false; + } + function generateFirewallSummary(analysis) { + const { totalRequests, requestsByDomain } = analysis; + const validDomains = Array.from(requestsByDomain.keys()) + .filter(domain => domain !== "-") + .sort(); + const uniqueDomainCount = validDomains.length; + let validAllowedRequests = 0; + let validDeniedRequests = 0; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + validAllowedRequests += stats.allowed; + validDeniedRequests += stats.denied; + } + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6716,7 +6875,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 7dc3b12082d..1b4b483a6a1 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -682,7 +682,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Install awf binary run: | echo "Installing awf from release: v0.7.0" @@ -720,7 +720,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 docker_pull_with_retry mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | @@ -2362,7 +2362,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ] env_vars = ["GITHUB_PERSONAL_ACCESS_TOKEN"] @@ -2414,7 +2414,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.73.0", + agent_version: "0.75.0", workflow_name: "Smoke Codex", experimental: true, supports_tools_allowlist: true, @@ -2431,7 +2431,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","github","playwright"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -2478,7 +2478,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5872,9 +5872,168 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; + summary += "
\n"; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `${validAllowedRequests} allowed | `; + summary += `${validDeniedRequests} blocked | `; + summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; + if (uniqueDomainCount > 0) { + summary += "| Domain | Allowed | Denied |\n"; + summary += "|--------|---------|--------|\n"; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + summary += `| ${domain} | ${stats.allowed} | ${stats.denied} |\n`; + } + } else { + summary += "No firewall activity detected.\n"; + } + summary += "\n
\n\n"; + return summary; + } + const isDirectExecution = typeof module === "undefined" || (typeof require !== "undefined" && typeof require.main !== "undefined" && require.main === module); + if (isDirectExecution) { + main(); + } + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 + with: + name: firewall-logs-smoke-codex + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore + - name: Parse firewall logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + function sanitizeWorkflowName(name) { + return name + .toLowerCase() + .replace(/[:\\/\s]/g, "-") + .replace(/[^a-z0-9._-]/g, "-"); + } + function main() { + const fs = require("fs"); + const path = require("path"); + try { + const squidLogsDir = `/tmp/gh-aw/sandbox/firewall/logs/`; + if (!fs.existsSync(squidLogsDir)) { + core.info(`No firewall logs directory found at: ${squidLogsDir}`); + return; + } + const files = fs.readdirSync(squidLogsDir).filter(file => file.endsWith(".log")); + if (files.length === 0) { + core.info(`No firewall log files found in: ${squidLogsDir}`); + return; + } + core.info(`Found ${files.length} firewall log file(s)`); + let totalRequests = 0; + let allowedRequests = 0; + let deniedRequests = 0; + const allowedDomains = new Set(); + const deniedDomains = new Set(); + const requestsByDomain = new Map(); + for (const file of files) { + const filePath = path.join(squidLogsDir, file); + core.info(`Parsing firewall log: ${file}`); + const content = fs.readFileSync(filePath, "utf8"); + const lines = content.split("\n").filter(line => line.trim()); + for (const line of lines) { + const entry = parseFirewallLogLine(line); + if (!entry) { + continue; + } + totalRequests++; + const isAllowed = isRequestAllowed(entry.decision, entry.status); + if (isAllowed) { + allowedRequests++; + allowedDomains.add(entry.domain); + } else { + deniedRequests++; + deniedDomains.add(entry.domain); + } + if (!requestsByDomain.has(entry.domain)) { + requestsByDomain.set(entry.domain, { allowed: 0, denied: 0 }); + } + const domainStats = requestsByDomain.get(entry.domain); + if (isAllowed) { + domainStats.allowed++; + } else { + domainStats.denied++; + } + } + } + const summary = generateFirewallSummary({ + totalRequests, + allowedRequests, + deniedRequests, + allowedDomains: Array.from(allowedDomains).sort(), + deniedDomains: Array.from(deniedDomains).sort(), + requestsByDomain, + }); + core.summary.addRaw(summary).write(); + core.info("Firewall log summary generated successfully"); + } catch (error) { + core.setFailed(error instanceof Error ? error : String(error)); + } + } + function parseFirewallLogLine(line) { + const trimmed = line.trim(); + if (!trimmed || trimmed.startsWith("#")) { + return null; + } + const fields = trimmed.match(/(?:[^\s"]+|"[^"]*")+/g); + if (!fields || fields.length < 10) { + return null; + } + const timestamp = fields[0]; + if (!/^\d+(\.\d+)?$/.test(timestamp)) { + return null; + } + return { + timestamp, + clientIpPort: fields[1], + domain: fields[2], + destIpPort: fields[3], + proto: fields[4], + method: fields[5], + status: fields[6], + decision: fields[7], + url: fields[8], + userAgent: fields[9]?.replace(/^"|"$/g, "") || "-", + }; + } + function isRequestAllowed(decision, status) { + const statusCode = parseInt(status, 10); + if (statusCode === 200 || statusCode === 206 || statusCode === 304) { + return true; + } + if (decision.includes("TCP_TUNNEL") || decision.includes("TCP_HIT") || decision.includes("TCP_MISS")) { + return true; + } + if (decision.includes("NONE_NONE") || decision.includes("TCP_DENIED") || statusCode === 403 || statusCode === 407) { + return false; + } + return false; + } + function generateFirewallSummary(analysis) { + const { totalRequests, requestsByDomain } = analysis; + const validDomains = Array.from(requestsByDomain.keys()) + .filter(domain => domain !== "-") + .sort(); + const uniqueDomainCount = validDomains.length; + let validAllowedRequests = 0; + let validDeniedRequests = 0; + for (const domain of validDomains) { + const stats = requestsByDomain.get(domain); + validAllowedRequests += stats.allowed; + validDeniedRequests += stats.denied; + } + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6829,7 +6988,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g @openai/codex@0.73.0 + run: npm install -g @openai/codex@0.75.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml index 3b730a06074..2884b16e348 100644 --- a/.github/workflows/smoke-detector.lock.yml +++ b/.github/workflows/smoke-detector.lock.yml @@ -717,7 +717,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -747,7 +747,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -2317,7 +2317,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -2356,7 +2356,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Smoke Detector - Smoke Test Failure Investigator", experimental: true, supports_tools_allowlist: true, @@ -2373,7 +2373,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -2420,7 +2420,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5954,9 +5954,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6913,7 +6913,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index d52f9fa2a66..3df98376ed5 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -288,7 +288,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -318,7 +318,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1831,7 +1831,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1870,7 +1870,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Static Analysis Report", experimental: true, supports_tools_allowlist: true, @@ -1887,7 +1887,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1934,7 +1934,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5542,9 +5542,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6500,7 +6500,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 4246aed3121..62aa303e5f2 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -239,7 +239,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -283,7 +283,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1837,7 +1837,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=issues", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "tools": ["*"], "env": { @@ -1886,7 +1886,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.369", + agent_version: "0.0.371", workflow_name: "Sub-Issue Closer", experimental: false, supports_tools_allowlist: true, @@ -1903,7 +1903,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1950,7 +1950,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5581,9 +5581,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6529,7 +6529,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -7428,7 +7428,7 @@ jobs: }; EOF_4d21ccbd - cat > /tmp/gh-aw/scripts/update_runner.cjs << 'EOF_006d32d7' + cat > /tmp/gh-aw/scripts/update_runner.cjs << 'EOF_60283df2' // @ts-check /// @@ -7513,11 +7513,12 @@ jobs: * @param {boolean} params.canUpdateStatus - Whether status updates are allowed * @param {boolean} params.canUpdateTitle - Whether title updates are allowed * @param {boolean} params.canUpdateBody - Whether body updates are allowed + * @param {boolean} [params.canUpdateLabels] - Whether label updates are allowed * @param {boolean} params.supportsStatus - Whether this type supports status * @returns {{hasUpdates: boolean, updateData: any, logMessages: string[]}} */ function buildUpdateData(params) { - const { item, canUpdateStatus, canUpdateTitle, canUpdateBody, supportsStatus } = params; + const { item, canUpdateStatus, canUpdateTitle, canUpdateBody, canUpdateLabels, supportsStatus } = params; /** @type {any} */ const updateData = {}; @@ -7567,6 +7568,17 @@ jobs: } } + // Handle labels update + if (canUpdateLabels && item.labels !== undefined) { + if (Array.isArray(item.labels)) { + updateData.labels = item.labels; + hasUpdates = true; + logMessages.push(`Will update labels to: ${item.labels.join(", ")}`); + } else { + logMessages.push("Invalid labels value: must be an array"); + } + } + return { hasUpdates, updateData, logMessages }; } @@ -7611,12 +7623,13 @@ jobs: const canUpdateStatus = process.env.GH_AW_UPDATE_STATUS === "true"; const canUpdateTitle = process.env.GH_AW_UPDATE_TITLE === "true"; const canUpdateBody = process.env.GH_AW_UPDATE_BODY === "true"; + const canUpdateLabels = process.env.GH_AW_UPDATE_LABELS === "true"; core.info(`Update target configuration: ${updateTarget}`); if (supportsStatus) { - core.info(`Can update status: ${canUpdateStatus}, title: ${canUpdateTitle}, body: ${canUpdateBody}`); + core.info(`Can update status: ${canUpdateStatus}, title: ${canUpdateTitle}, body: ${canUpdateBody}, labels: ${canUpdateLabels}`); } else { - core.info(`Can update title: ${canUpdateTitle}, body: ${canUpdateBody}`); + core.info(`Can update title: ${canUpdateTitle}, body: ${canUpdateBody}, labels: ${canUpdateLabels}`); } // Check context validity @@ -7660,6 +7673,7 @@ jobs: canUpdateStatus, canUpdateTitle, canUpdateBody, + canUpdateLabels, supportsStatus, }); @@ -7781,7 +7795,7 @@ jobs: createGetSummaryLine, }; - EOF_006d32d7 + EOF_60283df2 - name: Add Comment id: add_comment if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'add_comment')) diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 4b39555f3dd..94af3201ba6 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -266,7 +266,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -296,7 +296,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1805,7 +1805,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -1857,7 +1857,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Typist - Go Type Analysis", experimental: true, supports_tools_allowlist: true, @@ -1874,7 +1874,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -1921,7 +1921,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -5710,9 +5710,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6661,7 +6661,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index def8af60620..aea8b042940 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -701,7 +701,7 @@ jobs: which awf awf --version - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Downloading container images run: | set -e @@ -731,7 +731,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 docker_pull_with_retry mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | @@ -2316,7 +2316,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN" @@ -2373,7 +2373,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.0.71", + agent_version: "2.0.73", workflow_name: "Documentation Unbloat", experimental: true, supports_tools_allowlist: true, @@ -2390,7 +2390,7 @@ jobs: network_mode: "defaults", allowed_domains: ["defaults","github"], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -2437,7 +2437,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -6036,9 +6036,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -7007,7 +7007,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g @anthropic-ai/claude-code@2.0.71 + run: npm install -g @anthropic-ai/claude-code@2.0.73 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 46400e300ef..730f37980c9 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -287,7 +287,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -331,7 +331,7 @@ jobs: done } - docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.25.0 + docker_pull_with_retry ghcr.io/github/github-mcp-server:v0.26.3 - name: Write Safe Outputs Config run: | mkdir -p /tmp/gh-aw/safeoutputs @@ -1887,7 +1887,7 @@ jobs: "GITHUB_READ_ONLY=1", "-e", "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.25.0" + "ghcr.io/github/github-mcp-server:v0.26.3" ], "tools": ["*"], "env": { @@ -1936,7 +1936,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.369", + agent_version: "0.0.371", workflow_name: "Workflow Generator", experimental: false, supports_tools_allowlist: true, @@ -1953,7 +1953,7 @@ jobs: network_mode: "defaults", allowed_domains: [], firewall_enabled: true, - firewall_version: "", + awf_version: "v0.7.0", steps: { firewall: "squid" }, @@ -2000,7 +2000,7 @@ jobs: '|----------|-------|\n' + `| Mode | ${awInfo.network_mode || 'defaults'} |\n` + `| Firewall | ${awInfo.firewall_enabled ? '✅ Enabled' : '❌ Disabled'} |\n` + - `| Firewall Version | ${awInfo.firewall_version || '(latest)'} |\n` + + `| Firewall Version | ${awInfo.awf_version || '(latest)'} |\n` + '\n' + (networkDetails ? `##### Allowed Domains\n${networkDetails}\n` : '') + '
'; @@ -2047,26 +2047,39 @@ jobs: This issue has been assigned to an AI agent for workflow design. The agent will: - 1. **Parse the workflow requirements** from the information provided above - 2. **Generate a NEW workflow specification file** (`.md`) with appropriate triggers, tools, and safe outputs - 3. **Create a pull request** with the new workflow file at `.github/workflows/.md` + 1. **Parse the workflow requirements** from the issue form fields above: + - Workflow Name + - Workflow Description + - Additional Context (if provided) - **IMPORTANT**: The agent will create a NEW workflow file following best practices for: - - Security (minimal permissions, safe outputs for write operations) - - Appropriate triggers (issues, pull requests, schedule, workflow_dispatch, etc.) - - Necessary tools and MCP servers - - Network restrictions when needed - - Proper safe output configuration for GitHub operations + 2. **Generate a NEW workflow specification file** (`.md`) with: + - Kebab-case workflow ID derived from the name + - Complete YAML frontmatter (triggers, permissions, engine, tools, safe-outputs) + - Clear prompt body with instructions for the AI agent + - Security best practices applied - The workflow specification will include: - - Frontmatter with triggers, permissions, engine, and tools - - Clear prompt instructions for the AI agent - - Safe output configuration for any write operations - - Security best practices (network restrictions, minimal permissions) + 3. **Compile the workflow** using `gh aw compile ` to generate the `.lock.yml` file + + 4. **Create a pull request** with BOTH files: + - `.github/workflows/.md` (source) + - `.github/workflows/.lock.yml` (compiled) + + **IMPORTANT - Issue Form Mode**: The agent operates in non-interactive mode and will: + - Parse the issue form data directly + - Make intelligent decisions about triggers, tools, and permissions based on the description + - Create a complete, working workflow without back-and-forth conversation + - Follow the same pattern as the campaign generator + + **Best Practices Applied:** + - Security: minimal permissions, safe outputs for write operations + - Triggers: inferred from description (issues, pull_requests, schedule, workflow_dispatch) + - Tools: only include what's needed (github, web-fetch, playwright, etc.) + - Network: restricted to required domains/ecosystems + - Safe Outputs: for all GitHub write operations **Next Steps:** - - The AI agent will analyze your requirements and create a comprehensive workflow - - The workflow will be compiled automatically to ensure validity + - The AI agent will parse your requirements and generate a complete workflow + - Both `.md` and `.lock.yml` files will be included in the PR - Review the generated PR when it's ready - Merge the PR to activate your workflow ``` @@ -5579,9 +5592,9 @@ jobs: validAllowedRequests += stats.allowed; validDeniedRequests += stats.denied; } - let summary = "### 🔥 Firewall Activity\n\n"; + let summary = ""; summary += "
\n"; - summary += `📊 ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; + summary += `sandbox agent: ${totalRequests} request${totalRequests !== 1 ? "s" : ""} | `; summary += `${validAllowedRequests} allowed | `; summary += `${validDeniedRequests} blocked | `; summary += `${uniqueDomainCount} unique domain${uniqueDomainCount !== 1 ? "s" : ""}\n\n`; @@ -6566,7 +6579,7 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.369 && sudo bash /tmp/copilot-install.sh + export VERSION=0.0.371 && sudo bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -7434,7 +7447,7 @@ jobs: module.exports = { generateStagedPreview }; EOF_8386ee20 - cat > /tmp/gh-aw/scripts/update_context_helpers.cjs << 'EOF_95d23c7d' + cat > /tmp/gh-aw/scripts/update_context_helpers.cjs << 'EOF_4d21ccbd' // @ts-check /// @@ -7498,15 +7511,36 @@ jobs: return undefined; } + /** + * Check if the current context is a valid discussion context + * @param {string} eventName - GitHub event name + * @param {any} _payload - GitHub event payload (unused but kept for interface consistency) + * @returns {boolean} Whether context is valid for discussion updates + */ + function isDiscussionContext(eventName, _payload) { + return eventName === "discussion" || eventName === "discussion_comment"; + } + + /** + * Get discussion number from the context payload + * @param {any} payload - GitHub event payload + * @returns {number|undefined} Discussion number or undefined + */ + function getDiscussionNumber(payload) { + return payload?.discussion?.number; + } + module.exports = { isIssueContext, getIssueNumber, isPRContext, getPRNumber, + isDiscussionContext, + getDiscussionNumber, }; - EOF_95d23c7d - cat > /tmp/gh-aw/scripts/update_runner.cjs << 'EOF_006d32d7' + EOF_4d21ccbd + cat > /tmp/gh-aw/scripts/update_runner.cjs << 'EOF_60283df2' // @ts-check /// @@ -7591,11 +7625,12 @@ jobs: * @param {boolean} params.canUpdateStatus - Whether status updates are allowed * @param {boolean} params.canUpdateTitle - Whether title updates are allowed * @param {boolean} params.canUpdateBody - Whether body updates are allowed + * @param {boolean} [params.canUpdateLabels] - Whether label updates are allowed * @param {boolean} params.supportsStatus - Whether this type supports status * @returns {{hasUpdates: boolean, updateData: any, logMessages: string[]}} */ function buildUpdateData(params) { - const { item, canUpdateStatus, canUpdateTitle, canUpdateBody, supportsStatus } = params; + const { item, canUpdateStatus, canUpdateTitle, canUpdateBody, canUpdateLabels, supportsStatus } = params; /** @type {any} */ const updateData = {}; @@ -7645,6 +7680,17 @@ jobs: } } + // Handle labels update + if (canUpdateLabels && item.labels !== undefined) { + if (Array.isArray(item.labels)) { + updateData.labels = item.labels; + hasUpdates = true; + logMessages.push(`Will update labels to: ${item.labels.join(", ")}`); + } else { + logMessages.push("Invalid labels value: must be an array"); + } + } + return { hasUpdates, updateData, logMessages }; } @@ -7689,12 +7735,13 @@ jobs: const canUpdateStatus = process.env.GH_AW_UPDATE_STATUS === "true"; const canUpdateTitle = process.env.GH_AW_UPDATE_TITLE === "true"; const canUpdateBody = process.env.GH_AW_UPDATE_BODY === "true"; + const canUpdateLabels = process.env.GH_AW_UPDATE_LABELS === "true"; core.info(`Update target configuration: ${updateTarget}`); if (supportsStatus) { - core.info(`Can update status: ${canUpdateStatus}, title: ${canUpdateTitle}, body: ${canUpdateBody}`); + core.info(`Can update status: ${canUpdateStatus}, title: ${canUpdateTitle}, body: ${canUpdateBody}, labels: ${canUpdateLabels}`); } else { - core.info(`Can update title: ${canUpdateTitle}, body: ${canUpdateBody}`); + core.info(`Can update title: ${canUpdateTitle}, body: ${canUpdateBody}, labels: ${canUpdateLabels}`); } // Check context validity @@ -7738,6 +7785,7 @@ jobs: canUpdateStatus, canUpdateTitle, canUpdateBody, + canUpdateLabels, supportsStatus, }); @@ -7859,7 +7907,7 @@ jobs: createGetSummaryLine, }; - EOF_006d32d7 + EOF_60283df2 - name: Assign To Agent id: assign_to_agent if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'assign_to_agent')) From dca7983e6cc39cf932659af74d81b863afd4ee2d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Dec 2025 21:40:22 +0000 Subject: [PATCH 3/5] Enable strict mode and awf firewall for all agentic workflows Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com> --- .github/workflows/ai-moderator.md | 6 ++++++ .github/workflows/archie.md | 2 ++ .github/workflows/audit-workflows.md | 3 +++ .github/workflows/blog-auditor.md | 4 +++- .github/workflows/brave.md | 2 ++ .github/workflows/breaking-change-checker.md | 3 +++ .github/workflows/campaign-generator.md | 3 +++ .github/workflows/changeset.md | 4 +++- .github/workflows/ci-coach.md | 3 +++ .github/workflows/cli-consistency-checker.md | 3 +++ .github/workflows/cli-version-checker.md | 4 +++- .github/workflows/cloclo.md | 3 +++ .github/workflows/close-old-discussions.md | 2 ++ .github/workflows/commit-changes-analyzer.md | 3 +++ .github/workflows/copilot-agent-analysis.md | 4 +++- .github/workflows/copilot-pr-merged-report.md | 4 +++- .github/workflows/copilot-pr-nlp-analysis.md | 1 + .github/workflows/copilot-pr-prompt-analysis.md | 1 + .github/workflows/copilot-session-insights.md | 4 +++- .github/workflows/craft.lock.yml | 3 +++ .github/workflows/craft.md | 6 ++++++ .github/workflows/daily-assign-issue-to-user.md | 2 ++ .github/workflows/daily-code-metrics.md | 2 ++ .github/workflows/daily-copilot-token-report.md | 3 +++ .github/workflows/daily-doc-updater.md | 4 +++- .github/workflows/daily-fact.md | 4 +++- .github/workflows/daily-file-diet.md | 2 ++ .github/workflows/daily-issues-report.md | 4 +++- .github/workflows/daily-malicious-code-scan.md | 2 ++ .github/workflows/daily-multi-device-docs-tester.lock.yml | 2 +- .github/workflows/daily-multi-device-docs-tester.md | 6 ++++-- .github/workflows/daily-news.md | 1 + .github/workflows/daily-performance-summary.md | 4 +++- .github/workflows/daily-repo-chronicle.md | 1 + .github/workflows/daily-workflow-updater.md | 2 ++ .github/workflows/deep-report.md | 4 +++- .github/workflows/dev-hawk.md | 2 ++ .github/workflows/dev.md | 4 +++- .github/workflows/developer-docs-consolidator.md | 4 +++- .github/workflows/dictation-prompt.md | 3 +++ .github/workflows/docs-noob-tester.md | 3 +++ .github/workflows/duplicate-code-detector.md | 2 ++ .github/workflows/example-workflow-analyzer.md | 3 +++ .github/workflows/firewall-escape.md | 2 +- .github/workflows/firewall.md | 1 + .github/workflows/github-mcp-structural-analysis.md | 4 +++- .github/workflows/github-mcp-tools-report.lock.yml | 2 ++ .github/workflows/github-mcp-tools-report.md | 5 +++++ .github/workflows/glossary-maintainer.md | 3 +++ .github/workflows/go-fan.md | 4 +++- .github/workflows/go-logger.md | 3 +++ .github/workflows/go-pattern-detector.md | 2 ++ .github/workflows/grumpy-reviewer.md | 3 +++ .github/workflows/hourly-ci-cleaner.md | 3 +++ .github/workflows/human-ai-collaboration.md | 2 ++ .github/workflows/incident-response.md | 2 ++ .github/workflows/instructions-janitor.md | 4 +++- .github/workflows/intelligence.md | 2 ++ .github/workflows/issue-arborist.md | 4 +++- .github/workflows/issue-monster.md | 3 +++ .github/workflows/jsweep.md | 2 ++ .github/workflows/layout-spec-maintainer.md | 2 ++ .github/workflows/lockfile-stats.md | 2 ++ .github/workflows/mergefest.md | 2 ++ .github/workflows/org-health-report.md | 2 ++ .github/workflows/org-wide-rollout.md | 2 ++ .github/workflows/pdf-summary.md | 2 ++ .github/workflows/plan.md | 3 +++ .github/workflows/poem-bot.md | 2 ++ .github/workflows/portfolio-analyst.md | 3 +++ .github/workflows/pr-nitpick-reviewer.md | 3 +++ .github/workflows/prompt-clustering-analysis.md | 4 +++- .github/workflows/python-data-charts.md | 3 +++ .github/workflows/q.lock.yml | 2 ++ .github/workflows/q.md | 4 ++++ .github/workflows/release.md | 1 + .github/workflows/repo-tree-map.md | 3 +++ .github/workflows/repository-quality-improver.md | 2 ++ .github/workflows/safe-output-health.md | 2 ++ .github/workflows/schema-consistency-checker.md | 3 +++ .github/workflows/scout.md | 2 ++ .github/workflows/security-compliance.md | 2 ++ .github/workflows/security-fix-pr.md | 3 +++ .github/workflows/semantic-function-refactor.md | 2 ++ .github/workflows/slide-deck-maintainer.md | 3 +++ .github/workflows/smoke-claude.md | 2 ++ .github/workflows/smoke-codex-firewall.md | 4 +++- .github/workflows/smoke-codex.md | 4 +++- .github/workflows/smoke-copilot-playwright.md | 2 +- .github/workflows/smoke-copilot-safe-inputs.md | 2 ++ .github/workflows/smoke-copilot.md | 2 +- .github/workflows/smoke-detector.md | 4 +++- .github/workflows/spec-kit-execute.md | 4 +++- .github/workflows/spec-kit-executor.md | 4 +++- .github/workflows/speckit-dispatcher.md | 4 +++- .github/workflows/stale-repo-identifier.md | 4 +++- .github/workflows/static-analysis-report.md | 2 ++ .github/workflows/sub-issue-closer.md | 2 ++ .github/workflows/super-linter.md | 3 +++ .github/workflows/technical-doc-writer.md | 3 +++ .github/workflows/tidy.md | 2 ++ .github/workflows/typist.md | 2 ++ .github/workflows/unbloat-docs.md | 4 +++- .github/workflows/video-analyzer.md | 2 ++ .github/workflows/workflow-generator.md | 3 +++ 105 files changed, 269 insertions(+), 32 deletions(-) diff --git a/.github/workflows/ai-moderator.md b/.github/workflows/ai-moderator.md index 525b96ffdb8..437167c9400 100644 --- a/.github/workflows/ai-moderator.md +++ b/.github/workflows/ai-moderator.md @@ -1,6 +1,7 @@ --- bots: ["agentic-workflows-dev[bot]"] timeout-minutes: 5 +strict: true on: issues: types: [opened] @@ -16,6 +17,8 @@ on: engine: id: copilot model: gpt-5-mini +sandbox: + agent: awf tools: github: mode: local @@ -263,6 +266,7 @@ The workflow is configured in `.github/workflows/ai-moderator.md` with the follo ```yaml timeout-minutes: 5 +strict: true on: issues: types: [opened] @@ -277,6 +281,8 @@ on: engine: id: copilot model: gpt-5-mini +sandbox: + agent: awf tools: github: mode: local diff --git a/.github/workflows/archie.md b/.github/workflows/archie.md index 518843baaf5..f5dddfda428 100644 --- a/.github/workflows/archie.md +++ b/.github/workflows/archie.md @@ -13,6 +13,8 @@ permissions: actions: read engine: copilot strict: true +sandbox: + agent: awf tools: serena: ["go"] github: diff --git a/.github/workflows/audit-workflows.md b/.github/workflows/audit-workflows.md index d5592829930..70b0cb54bc1 100644 --- a/.github/workflows/audit-workflows.md +++ b/.github/workflows/audit-workflows.md @@ -10,6 +10,8 @@ permissions: pull-requests: read tracker-id: audit-workflows-daily engine: claude +sandbox: + agent: awf tools: cache-memory: true timeout: 300 @@ -25,6 +27,7 @@ safe-outputs: max: 1 close-older-discussions: true timeout-minutes: 30 +strict: true imports: - shared/mcp/gh-aw.md - shared/jqschema.md diff --git a/.github/workflows/blog-auditor.md b/.github/workflows/blog-auditor.md index 0ab9c5d4d45..d375ff99a37 100644 --- a/.github/workflows/blog-auditor.md +++ b/.github/workflows/blog-auditor.md @@ -9,12 +9,14 @@ permissions: pull-requests: read tracker-id: blog-auditor-weekly engine: claude -strict: false +strict: true network: allowed: - defaults - githubnext.com - www.githubnext.com +sandbox: + agent: awf tools: playwright: allowed_domains: diff --git a/.github/workflows/brave.md b/.github/workflows/brave.md index bc644614f59..ef8c6effd38 100644 --- a/.github/workflows/brave.md +++ b/.github/workflows/brave.md @@ -12,6 +12,8 @@ engine: copilot strict: true imports: - shared/mcp/brave.md +sandbox: + agent: awf safe-outputs: add-comment: max: 1 diff --git a/.github/workflows/breaking-change-checker.md b/.github/workflows/breaking-change-checker.md index 03fe4d453c5..2f2d66c4176 100644 --- a/.github/workflows/breaking-change-checker.md +++ b/.github/workflows/breaking-change-checker.md @@ -9,6 +9,8 @@ permissions: actions: read engine: copilot tracker-id: breaking-change-checker +sandbox: + agent: awf tools: github: toolsets: [repos] @@ -31,6 +33,7 @@ safe-outputs: run-success: "✅ Analysis complete! [{workflow_name}]({run_url}) has reviewed all changes. Compatibility verdict delivered! 📋" run-failure: "🔬 Analysis interrupted! [{workflow_name}]({run_url}) {status}. Compatibility status unknown..." timeout-minutes: 10 +strict: true --- # Breaking Change Checker diff --git a/.github/workflows/campaign-generator.md b/.github/workflows/campaign-generator.md index 707aa91a0d9..a695461ff81 100644 --- a/.github/workflows/campaign-generator.md +++ b/.github/workflows/campaign-generator.md @@ -9,6 +9,8 @@ permissions: issues: read pull-requests: read engine: copilot +sandbox: + agent: awf tools: github: toolsets: [default] @@ -20,6 +22,7 @@ safe-outputs: target: "${{ github.event.issue.number }}" assign-to-agent: timeout-minutes: 5 +strict: true --- {{#runtime-import? .github/shared-instructions.md}} diff --git a/.github/workflows/changeset.md b/.github/workflows/changeset.md index 5eb6afd6dd2..66ba072527b 100644 --- a/.github/workflows/changeset.md +++ b/.github/workflows/changeset.md @@ -15,7 +15,7 @@ permissions: engine: id: codex model: gpt-5-mini -strict: false # Required: codex engine doesn't support network firewall +strict: true safe-outputs: push-to-pull-request-branch: commit-title-suffix: " [skip-ci]" @@ -28,6 +28,8 @@ network: allowed: - defaults - node +sandbox: + agent: awf tools: bash: - "*" diff --git a/.github/workflows/ci-coach.md b/.github/workflows/ci-coach.md index eb8194b2a39..1e822f53599 100644 --- a/.github/workflows/ci-coach.md +++ b/.github/workflows/ci-coach.md @@ -11,6 +11,8 @@ permissions: issues: read tracker-id: ci-coach-daily engine: copilot +sandbox: + agent: awf tools: github: toolsets: [default] @@ -81,6 +83,7 @@ safe-outputs: create-pull-request: title-prefix: "[ci-coach] " timeout-minutes: 30 +strict: true imports: - shared/jqschema.md - shared/reporting.md diff --git a/.github/workflows/cli-consistency-checker.md b/.github/workflows/cli-consistency-checker.md index 41093264ad7..1e379f06a24 100644 --- a/.github/workflows/cli-consistency-checker.md +++ b/.github/workflows/cli-consistency-checker.md @@ -12,6 +12,8 @@ permissions: engine: copilot network: allowed: [defaults, node, "api.github.com"] +sandbox: + agent: awf tools: edit: web-fetch: @@ -23,6 +25,7 @@ safe-outputs: labels: [automation, cli, documentation] max: 5 timeout-minutes: 20 +strict: true --- # CLI Consistency Checker diff --git a/.github/workflows/cli-version-checker.md b/.github/workflows/cli-version-checker.md index 12902e3ded7..f3f88af65ac 100644 --- a/.github/workflows/cli-version-checker.md +++ b/.github/workflows/cli-version-checker.md @@ -7,12 +7,14 @@ permissions: contents: read pull-requests: read issues: read -strict: false +strict: true engine: claude network: allowed: [defaults, node, "api.github.com", "ghcr.io"] imports: - shared/jqschema.md +sandbox: + agent: awf tools: web-fetch: cache-memory: true diff --git a/.github/workflows/cloclo.md b/.github/workflows/cloclo.md index 1a06a25f517..0137d2c9f6d 100644 --- a/.github/workflows/cloclo.md +++ b/.github/workflows/cloclo.md @@ -20,6 +20,8 @@ engine: imports: - shared/mcp/gh-aw.md - shared/jqschema.md +sandbox: + agent: awf tools: serena: ["go"] edit: @@ -38,6 +40,7 @@ safe-outputs: run-success: "🎤 Bravo! [{workflow_name}]({run_url}) has delivered a stunning performance! Standing ovation! 🌟" run-failure: "🎵 Intermission... [{workflow_name}]({run_url}) {status}. The show must go on... eventually!" timeout-minutes: 20 +strict: true --- # /cloclo diff --git a/.github/workflows/close-old-discussions.md b/.github/workflows/close-old-discussions.md index 0c0865ad8cb..ce762245535 100644 --- a/.github/workflows/close-old-discussions.md +++ b/.github/workflows/close-old-discussions.md @@ -14,6 +14,8 @@ engine: codex imports: - shared/jqschema.md - shared/discussions-data-fetch.md +sandbox: + agent: awf tools: github: toolsets: [default, discussions] diff --git a/.github/workflows/commit-changes-analyzer.md b/.github/workflows/commit-changes-analyzer.md index bfe0dbc9ee2..d19ccb7a38a 100644 --- a/.github/workflows/commit-changes-analyzer.md +++ b/.github/workflows/commit-changes-analyzer.md @@ -15,6 +15,8 @@ permissions: engine: id: claude max-turns: 100 +sandbox: + agent: awf tools: github: toolsets: [default] @@ -26,6 +28,7 @@ safe-outputs: category: "dev" max: 1 timeout-minutes: 30 +strict: true imports: - shared/reporting.md --- diff --git a/.github/workflows/copilot-agent-analysis.md b/.github/workflows/copilot-agent-analysis.md index 043469677c4..b552e275550 100644 --- a/.github/workflows/copilot-agent-analysis.md +++ b/.github/workflows/copilot-agent-analysis.md @@ -14,7 +14,7 @@ permissions: actions: read engine: claude -strict: false +strict: true network: allowed: @@ -33,6 +33,8 @@ imports: - shared/reporting.md - shared/copilot-pr-data-fetch.md +sandbox: + agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/copilot-pr-merged-report.md b/.github/workflows/copilot-pr-merged-report.md index 47e91c309a3..199cea00b09 100644 --- a/.github/workflows/copilot-pr-merged-report.md +++ b/.github/workflows/copilot-pr-merged-report.md @@ -14,8 +14,10 @@ permissions: actions: read engine: copilot -strict: false +strict: true +sandbox: + agent: awf tools: github: false edit: diff --git a/.github/workflows/copilot-pr-nlp-analysis.md b/.github/workflows/copilot-pr-nlp-analysis.md index 6a4ccf2d722..8fee7e93d83 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.md +++ b/.github/workflows/copilot-pr-nlp-analysis.md @@ -23,6 +23,7 @@ network: sandbox: agent: awf # Firewall enabled (migrated from network.firewall) +strict: true safe-outputs: create-discussion: title-prefix: "[nlp-analysis] " diff --git a/.github/workflows/copilot-pr-prompt-analysis.md b/.github/workflows/copilot-pr-prompt-analysis.md index 90d1174ac13..ba9240348ea 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.md +++ b/.github/workflows/copilot-pr-prompt-analysis.md @@ -22,6 +22,7 @@ network: sandbox: agent: awf # Firewall enabled (migrated from network.firewall) +strict: true safe-outputs: create-discussion: title-prefix: "[prompt-analysis] " diff --git a/.github/workflows/copilot-session-insights.md b/.github/workflows/copilot-session-insights.md index 899e639e761..8fbc5045bb6 100644 --- a/.github/workflows/copilot-session-insights.md +++ b/.github/workflows/copilot-session-insights.md @@ -14,7 +14,7 @@ permissions: pull-requests: read engine: claude -strict: false +strict: true network: allowed: @@ -30,6 +30,8 @@ safe-outputs: max: 1 close-older-discussions: true +sandbox: + agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index a1d9f721ea7..1d377b53066 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -2890,12 +2890,15 @@ jobs: contents: read issues: write engine: copilot + sandbox: + agent: awf tools: github: toolsets: [default] safe-outputs: add-comment: timeout-minutes: 10 + strict: true --- # My Workflow Title diff --git a/.github/workflows/craft.md b/.github/workflows/craft.md index c33f8fc1e40..e47d6c3fc91 100644 --- a/.github/workflows/craft.md +++ b/.github/workflows/craft.md @@ -9,6 +9,8 @@ permissions: issues: read pull-requests: read engine: copilot +sandbox: + agent: awf tools: edit: bash: @@ -21,6 +23,7 @@ steps: gh extension remove gh-aw || true gh extension install . timeout-minutes: 15 +strict: true safe-outputs: add-comment: max: 1 @@ -227,12 +230,15 @@ permissions: contents: read issues: write engine: copilot +sandbox: + agent: awf tools: github: toolsets: [default] safe-outputs: add-comment: timeout-minutes: 10 +strict: true --- # My Workflow Title diff --git a/.github/workflows/daily-assign-issue-to-user.md b/.github/workflows/daily-assign-issue-to-user.md index 7b25b532b4e..e4ad3365be2 100644 --- a/.github/workflows/daily-assign-issue-to-user.md +++ b/.github/workflows/daily-assign-issue-to-user.md @@ -9,6 +9,8 @@ permissions: pull-requests: read contents: read engine: copilot +sandbox: + agent: awf tools: github: toolsets: [issues, pull_requests, repos] diff --git a/.github/workflows/daily-code-metrics.md b/.github/workflows/daily-code-metrics.md index 0a7fa0b8ffc..36a61143faf 100644 --- a/.github/workflows/daily-code-metrics.md +++ b/.github/workflows/daily-code-metrics.md @@ -9,6 +9,8 @@ permissions: pull-requests: read tracker-id: daily-code-metrics engine: claude +sandbox: + agent: awf tools: cache-memory: - id: metrics diff --git a/.github/workflows/daily-copilot-token-report.md b/.github/workflows/daily-copilot-token-report.md index de5059e85e8..d4a93f501e7 100644 --- a/.github/workflows/daily-copilot-token-report.md +++ b/.github/workflows/daily-copilot-token-report.md @@ -11,6 +11,8 @@ permissions: pull-requests: read tracker-id: daily-copilot-token-report engine: copilot +sandbox: + agent: awf tools: cache-memory: - id: token-metrics @@ -41,6 +43,7 @@ safe-outputs: max: 1 close-older-discussions: true timeout-minutes: 20 +strict: true imports: - shared/reporting.md - shared/python-dataviz.md diff --git a/.github/workflows/daily-doc-updater.md b/.github/workflows/daily-doc-updater.md index a5893530e5c..658061c20e9 100644 --- a/.github/workflows/daily-doc-updater.md +++ b/.github/workflows/daily-doc-updater.md @@ -14,7 +14,7 @@ permissions: tracker-id: daily-doc-updater engine: claude -strict: false +strict: true network: allowed: @@ -28,6 +28,8 @@ safe-outputs: reviewers: copilot draft: false +sandbox: + agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/daily-fact.md b/.github/workflows/daily-fact.md index b99956d3543..6c9ab325874 100644 --- a/.github/workflows/daily-fact.md +++ b/.github/workflows/daily-fact.md @@ -14,13 +14,15 @@ tracker-id: daily-fact-thread engine: id: codex model: gpt-5-mini -strict: false # Required: codex engine doesn't support network firewall +strict: true timeout-minutes: 15 network: allowed: - defaults +sandbox: + agent: awf tools: github: toolsets: diff --git a/.github/workflows/daily-file-diet.md b/.github/workflows/daily-file-diet.md index 41dcb69380a..3ef3eddaa2a 100644 --- a/.github/workflows/daily-file-diet.md +++ b/.github/workflows/daily-file-diet.md @@ -26,6 +26,8 @@ safe-outputs: labels: [refactoring, code-health, automated-analysis] max: 1 +sandbox: + agent: awf tools: serena: ["go"] github: diff --git a/.github/workflows/daily-issues-report.md b/.github/workflows/daily-issues-report.md index 2ae5fb4388a..75629c7d444 100644 --- a/.github/workflows/daily-issues-report.md +++ b/.github/workflows/daily-issues-report.md @@ -10,8 +10,10 @@ permissions: pull-requests: read discussions: write engine: codex -strict: false +strict: true tracker-id: daily-issues-report +sandbox: + agent: awf tools: github: toolsets: [default, discussions] diff --git a/.github/workflows/daily-malicious-code-scan.md b/.github/workflows/daily-malicious-code-scan.md index 761858d43a1..1a51eedc70d 100644 --- a/.github/workflows/daily-malicious-code-scan.md +++ b/.github/workflows/daily-malicious-code-scan.md @@ -9,6 +9,8 @@ permissions: security-events: read tracker-id: malicious-code-scan engine: copilot +sandbox: + agent: awf tools: github: toolsets: [repos, code_security] diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 2d55bd00b91..83fb769d91a 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -140,7 +140,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - issues: write + issues: read pull-requests: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" diff --git a/.github/workflows/daily-multi-device-docs-tester.md b/.github/workflows/daily-multi-device-docs-tester.md index 79cb1cddd91..66bce123193 100644 --- a/.github/workflows/daily-multi-device-docs-tester.md +++ b/.github/workflows/daily-multi-device-docs-tester.md @@ -11,14 +11,16 @@ on: default: 'mobile,tablet,desktop' permissions: contents: read - issues: write + issues: read pull-requests: read tracker-id: daily-multi-device-docs-tester engine: id: claude max-turns: 30 # Prevent runaway token usage -strict: false +strict: true timeout-minutes: 30 +sandbox: + agent: awf tools: playwright: version: "v1.56.1" diff --git a/.github/workflows/daily-news.md b/.github/workflows/daily-news.md index 6be3809631f..56ec5cef7fa 100644 --- a/.github/workflows/daily-news.md +++ b/.github/workflows/daily-news.md @@ -26,6 +26,7 @@ network: sandbox: agent: awf # Firewall enabled (migrated from network.firewall) +strict: true safe-outputs: upload-assets: create-discussion: diff --git a/.github/workflows/daily-performance-summary.md b/.github/workflows/daily-performance-summary.md index 376aa5f5d8c..8d3ef384a5f 100644 --- a/.github/workflows/daily-performance-summary.md +++ b/.github/workflows/daily-performance-summary.md @@ -10,8 +10,10 @@ permissions: pull-requests: read discussions: write engine: codex -strict: false +strict: true tracker-id: daily-performance-summary +sandbox: + agent: awf tools: github: toolsets: [default, discussions] diff --git a/.github/workflows/daily-repo-chronicle.md b/.github/workflows/daily-repo-chronicle.md index feb1219fc78..52845fd1049 100644 --- a/.github/workflows/daily-repo-chronicle.md +++ b/.github/workflows/daily-repo-chronicle.md @@ -29,6 +29,7 @@ tools: toolsets: - default - discussions +strict: true safe-outputs: upload-assets: create-discussion: diff --git a/.github/workflows/daily-workflow-updater.md b/.github/workflows/daily-workflow-updater.md index b3f7edf54a4..b134837fc0b 100644 --- a/.github/workflows/daily-workflow-updater.md +++ b/.github/workflows/daily-workflow-updater.md @@ -27,6 +27,8 @@ safe-outputs: labels: [dependencies, automation] draft: false +sandbox: + agent: awf tools: github: toolsets: [default] diff --git a/.github/workflows/deep-report.md b/.github/workflows/deep-report.md index 577963f4de5..85206c2bbe0 100644 --- a/.github/workflows/deep-report.md +++ b/.github/workflows/deep-report.md @@ -18,7 +18,7 @@ permissions: tracker-id: deep-report-intel-agent timeout-minutes: 45 engine: codex -strict: false +strict: true network: allowed: @@ -33,6 +33,8 @@ safe-outputs: max: 1 close-older-discussions: true +sandbox: + agent: awf tools: repo-memory: branch-name: memory/deep-report diff --git a/.github/workflows/dev-hawk.md b/.github/workflows/dev-hawk.md index 29b6d83bf44..9cd59c01756 100644 --- a/.github/workflows/dev-hawk.md +++ b/.github/workflows/dev-hawk.md @@ -15,6 +15,8 @@ permissions: actions: read pull-requests: read engine: copilot +sandbox: + agent: awf tools: github: toolsets: [pull_requests, actions, repos] diff --git a/.github/workflows/dev.md b/.github/workflows/dev.md index 3301b901084..43f6ddf37a7 100644 --- a/.github/workflows/dev.md +++ b/.github/workflows/dev.md @@ -4,13 +4,15 @@ on: name: Dev description: Add a poem to the latest discussion timeout-minutes: 5 -strict: false +strict: true engine: copilot permissions: contents: read discussions: read +sandbox: + agent: awf tools: github: toolsets: [discussions] diff --git a/.github/workflows/developer-docs-consolidator.md b/.github/workflows/developer-docs-consolidator.md index 4c288cef12c..385bd506541 100644 --- a/.github/workflows/developer-docs-consolidator.md +++ b/.github/workflows/developer-docs-consolidator.md @@ -14,7 +14,7 @@ permissions: pull-requests: read engine: claude -strict: false +strict: true network: allowed: @@ -31,6 +31,8 @@ safe-outputs: labels: [documentation, automation] draft: false +sandbox: + agent: awf tools: serena: ["go"] cache-memory: diff --git a/.github/workflows/dictation-prompt.md b/.github/workflows/dictation-prompt.md index 6e83356c41a..00144f61fd3 100644 --- a/.github/workflows/dictation-prompt.md +++ b/.github/workflows/dictation-prompt.md @@ -18,6 +18,8 @@ network: defaults imports: - shared/reporting.md +sandbox: + agent: awf tools: edit: bash: @@ -32,6 +34,7 @@ safe-outputs: draft: false timeout-minutes: 10 +strict: true --- # Dictation Prompt Generator diff --git a/.github/workflows/docs-noob-tester.md b/.github/workflows/docs-noob-tester.md index 3c0a2e689f4..a8bc92b5208 100644 --- a/.github/workflows/docs-noob-tester.md +++ b/.github/workflows/docs-noob-tester.md @@ -10,6 +10,9 @@ permissions: pull-requests: read engine: copilot timeout-minutes: 30 +strict: true +sandbox: + agent: awf tools: playwright: edit: diff --git a/.github/workflows/duplicate-code-detector.md b/.github/workflows/duplicate-code-detector.md index 15264466484..2cf2e57c2c6 100644 --- a/.github/workflows/duplicate-code-detector.md +++ b/.github/workflows/duplicate-code-detector.md @@ -9,6 +9,8 @@ permissions: issues: read pull-requests: read engine: codex +sandbox: + agent: awf tools: serena: ["go"] safe-outputs: diff --git a/.github/workflows/example-workflow-analyzer.md b/.github/workflows/example-workflow-analyzer.md index c986b2a52a8..1d81fd578b8 100644 --- a/.github/workflows/example-workflow-analyzer.md +++ b/.github/workflows/example-workflow-analyzer.md @@ -9,6 +9,8 @@ permissions: pull-requests: read actions: read engine: claude +sandbox: + agent: awf tools: agentic-workflows: github: @@ -19,6 +21,7 @@ safe-outputs: category: "Audits" close-older-discussions: true timeout-minutes: 10 +strict: true imports: - shared/reporting.md --- diff --git a/.github/workflows/firewall-escape.md b/.github/workflows/firewall-escape.md index 371aaa527ea..f8a9a4b5287 100644 --- a/.github/workflows/firewall-escape.md +++ b/.github/workflows/firewall-escape.md @@ -15,7 +15,7 @@ permissions: issues: read pull-requests: read -strict: false +strict: true engine: copilot diff --git a/.github/workflows/firewall.md b/.github/workflows/firewall.md index e27b4c9c5f1..76051b15738 100644 --- a/.github/workflows/firewall.md +++ b/.github/workflows/firewall.md @@ -21,6 +21,7 @@ tools: web-fetch: timeout-minutes: 5 +strict: true --- # Firewall Test Agent diff --git a/.github/workflows/github-mcp-structural-analysis.md b/.github/workflows/github-mcp-structural-analysis.md index e2b49448be8..82496fc5a19 100644 --- a/.github/workflows/github-mcp-structural-analysis.md +++ b/.github/workflows/github-mcp-structural-analysis.md @@ -14,7 +14,9 @@ permissions: repository-projects: read security-events: read engine: claude -strict: false # Required: imports python-dataviz.md which needs network access, and claude doesn't support firewall +strict: true +sandbox: + agent: awf tools: github: mode: local diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 7825fda3a33..9d83d0e41c0 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -2279,6 +2279,8 @@ jobs: When configuring the GitHub MCP server in agentic workflows, you can enable specific toolsets: ```yaml + sandbox: + agent: awf tools: github: mode: "remote" # or "local" diff --git a/.github/workflows/github-mcp-tools-report.md b/.github/workflows/github-mcp-tools-report.md index 4b7282c9e3d..339bf1131c7 100644 --- a/.github/workflows/github-mcp-tools-report.md +++ b/.github/workflows/github-mcp-tools-report.md @@ -12,6 +12,8 @@ permissions: repository-projects: read security-events: read engine: claude +sandbox: + agent: awf tools: github: mode: "remote" @@ -29,6 +31,7 @@ safe-outputs: reviewers: copilot draft: false timeout-minutes: 15 +strict: true imports: - shared/reporting.md --- @@ -280,6 +283,8 @@ Based on the analysis of available tools and their usage patterns, the following When configuring the GitHub MCP server in agentic workflows, you can enable specific toolsets: ```yaml +sandbox: + agent: awf tools: github: mode: "remote" # or "local" diff --git a/.github/workflows/glossary-maintainer.md b/.github/workflows/glossary-maintainer.md index c6feb0c7e74..d5225dba5af 100644 --- a/.github/workflows/glossary-maintainer.md +++ b/.github/workflows/glossary-maintainer.md @@ -31,6 +31,8 @@ safe-outputs: labels: [documentation, glossary] draft: false +sandbox: + agent: awf tools: serena: ["go"] cache-memory: true @@ -44,6 +46,7 @@ tools: - "git log --since='7 days ago' --oneline" timeout-minutes: 20 +strict: true --- diff --git a/.github/workflows/go-fan.md b/.github/workflows/go-fan.md index 601fa327862..48382dee6ef 100644 --- a/.github/workflows/go-fan.md +++ b/.github/workflows/go-fan.md @@ -32,6 +32,8 @@ safe-outputs: max: 1 close-older-discussions: true +sandbox: + agent: awf tools: serena: ["go"] cache-memory: true @@ -48,7 +50,7 @@ tools: - "cat specs/mods/*" timeout-minutes: 30 -strict: false +strict: true --- # Go Fan 🐹 - Daily Go Module Reviewer diff --git a/.github/workflows/go-logger.md b/.github/workflows/go-logger.md index d4892097270..721e31d303e 100644 --- a/.github/workflows/go-logger.md +++ b/.github/workflows/go-logger.md @@ -34,6 +34,8 @@ steps: run: npm ci working-directory: ./pkg/workflow/js +sandbox: + agent: awf tools: github: toolsets: [default] @@ -50,6 +52,7 @@ tools: cache-memory: timeout-minutes: 15 +strict: true --- # Go Logger Enhancement diff --git a/.github/workflows/go-pattern-detector.md b/.github/workflows/go-pattern-detector.md index 90f3ee7eb3f..82d8e9ed25d 100644 --- a/.github/workflows/go-pattern-detector.md +++ b/.github/workflows/go-pattern-detector.md @@ -52,6 +52,8 @@ timeout-minutes: 10 imports: - shared/mcp/ast-grep.md +sandbox: + agent: awf safe-outputs: create-issue: title-prefix: "[ast-grep] " diff --git a/.github/workflows/grumpy-reviewer.md b/.github/workflows/grumpy-reviewer.md index a6d66443d50..efb3da2954f 100644 --- a/.github/workflows/grumpy-reviewer.md +++ b/.github/workflows/grumpy-reviewer.md @@ -8,6 +8,8 @@ permissions: contents: read pull-requests: read engine: copilot +sandbox: + agent: awf tools: cache-memory: true github: @@ -24,6 +26,7 @@ safe-outputs: run-success: "😤 Fine. [{workflow_name}]({run_url}) finished the review. It wasn't completely terrible. I guess. 🙄" run-failure: "😤 Great. [{workflow_name}]({run_url}) {status}. As if my day couldn't get any worse..." timeout-minutes: 10 +strict: true --- # Grumpy Code Reviewer 🔥 diff --git a/.github/workflows/hourly-ci-cleaner.md b/.github/workflows/hourly-ci-cleaner.md index e70079b2c4a..453d08ea466 100644 --- a/.github/workflows/hourly-ci-cleaner.md +++ b/.github/workflows/hourly-ci-cleaner.md @@ -11,6 +11,8 @@ permissions: pull-requests: read tracker-id: hourly-ci-cleaner engine: copilot +sandbox: + agent: awf tools: bash: ["*"] edit: @@ -67,6 +69,7 @@ safe-outputs: create-pull-request: title-prefix: "[ca] " timeout-minutes: 45 +strict: true imports: - ../agents/ci-cleaner.agent.md --- diff --git a/.github/workflows/human-ai-collaboration.md b/.github/workflows/human-ai-collaboration.md index b6fbc2a4e88..b5151c2d00e 100644 --- a/.github/workflows/human-ai-collaboration.md +++ b/.github/workflows/human-ai-collaboration.md @@ -24,6 +24,8 @@ safe-outputs: create-issue: max: 1 # Only epic for human review +sandbox: + agent: awf tools: github: toolsets: [repos, issues, search] diff --git a/.github/workflows/incident-response.md b/.github/workflows/incident-response.md index 58c4781fe6e..85e53a55625 100644 --- a/.github/workflows/incident-response.md +++ b/.github/workflows/incident-response.md @@ -32,6 +32,8 @@ permissions: engine: copilot +sandbox: + agent: awf tools: github: toolsets: [repos, issues, pull_requests, search] diff --git a/.github/workflows/instructions-janitor.md b/.github/workflows/instructions-janitor.md index 68b7fc4590c..c746cb5c5c8 100644 --- a/.github/workflows/instructions-janitor.md +++ b/.github/workflows/instructions-janitor.md @@ -11,7 +11,7 @@ permissions: pull-requests: read engine: claude -strict: false +strict: true network: allowed: @@ -24,6 +24,8 @@ safe-outputs: labels: [documentation, automation, instructions] draft: false +sandbox: + agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/intelligence.md b/.github/workflows/intelligence.md index 559d789d4c1..86fb6f364e6 100644 --- a/.github/workflows/intelligence.md +++ b/.github/workflows/intelligence.md @@ -30,6 +30,8 @@ safe-outputs: create-issue: max: 1 # Intelligence report issue +sandbox: + agent: awf tools: github: toolsets: [repos, issues, search] diff --git a/.github/workflows/issue-arborist.md b/.github/workflows/issue-arborist.md index 432be784c88..cda70d9e653 100644 --- a/.github/workflows/issue-arborist.md +++ b/.github/workflows/issue-arborist.md @@ -8,13 +8,15 @@ permissions: contents: read issues: read engine: codex -strict: false +strict: true network: allowed: - defaults - github imports: - shared/jqschema.md +sandbox: + agent: awf tools: github: toolsets: diff --git a/.github/workflows/issue-monster.md b/.github/workflows/issue-monster.md index f66b0dbace7..54e97dec5ac 100644 --- a/.github/workflows/issue-monster.md +++ b/.github/workflows/issue-monster.md @@ -15,7 +15,10 @@ permissions: engine: copilot timeout-minutes: 30 +strict: true +sandbox: + agent: awf tools: github: toolsets: [default, pull_requests] diff --git a/.github/workflows/jsweep.md b/.github/workflows/jsweep.md index a96888f9e27..5a8f57471b9 100644 --- a/.github/workflows/jsweep.md +++ b/.github/workflows/jsweep.md @@ -10,6 +10,8 @@ permissions: pull-requests: read tracker-id: jsweep-daily engine: copilot +sandbox: + agent: awf tools: serena: ["typescript"] github: diff --git a/.github/workflows/layout-spec-maintainer.md b/.github/workflows/layout-spec-maintainer.md index 3641f17d597..1630f5be16e 100644 --- a/.github/workflows/layout-spec-maintainer.md +++ b/.github/workflows/layout-spec-maintainer.md @@ -30,6 +30,8 @@ safe-outputs: labels: [documentation, automation] draft: false +sandbox: + agent: awf tools: github: toolsets: [default] diff --git a/.github/workflows/lockfile-stats.md b/.github/workflows/lockfile-stats.md index e437eed043e..765764b05dc 100644 --- a/.github/workflows/lockfile-stats.md +++ b/.github/workflows/lockfile-stats.md @@ -8,6 +8,8 @@ permissions: issues: read pull-requests: read engine: claude +sandbox: + agent: awf tools: cache-memory: true bash: diff --git a/.github/workflows/mergefest.md b/.github/workflows/mergefest.md index 7ac3d499df7..d9d9fc495c3 100644 --- a/.github/workflows/mergefest.md +++ b/.github/workflows/mergefest.md @@ -10,6 +10,8 @@ permissions: pull-requests: read actions: read engine: copilot +sandbox: + agent: awf tools: bash: - "git fetch" diff --git a/.github/workflows/org-health-report.md b/.github/workflows/org-health-report.md index 48d8031d93f..6f7c303ec3c 100644 --- a/.github/workflows/org-health-report.md +++ b/.github/workflows/org-health-report.md @@ -10,6 +10,8 @@ permissions: pull-requests: read discussions: write engine: copilot +sandbox: + agent: awf tools: github: toolsets: diff --git a/.github/workflows/org-wide-rollout.md b/.github/workflows/org-wide-rollout.md index 7ac8a3bb7e1..2ed41007113 100644 --- a/.github/workflows/org-wide-rollout.md +++ b/.github/workflows/org-wide-rollout.md @@ -39,6 +39,8 @@ permissions: engine: copilot +sandbox: + agent: awf tools: github: toolsets: [repos, issues, pull_requests, search] diff --git a/.github/workflows/pdf-summary.md b/.github/workflows/pdf-summary.md index 0b52604a6c2..f4478bf3fbe 100644 --- a/.github/workflows/pdf-summary.md +++ b/.github/workflows/pdf-summary.md @@ -29,6 +29,8 @@ engine: copilot imports: - shared/mcp/markitdown.md +sandbox: + agent: awf tools: cache-memory: true diff --git a/.github/workflows/plan.md b/.github/workflows/plan.md index 53a3cabbcaf..30378aa4947 100644 --- a/.github/workflows/plan.md +++ b/.github/workflows/plan.md @@ -11,6 +11,8 @@ permissions: issues: read pull-requests: read engine: copilot +sandbox: + agent: awf tools: github: toolsets: [default, discussions] @@ -22,6 +24,7 @@ safe-outputs: close-discussion: required-category: "Ideas" timeout-minutes: 10 +strict: true --- # Planning Assistant diff --git a/.github/workflows/poem-bot.md b/.github/workflows/poem-bot.md index 5f19bc31b9c..d7d5e23a33f 100644 --- a/.github/workflows/poem-bot.md +++ b/.github/workflows/poem-bot.md @@ -35,6 +35,8 @@ engine: network: {} # Tools configuration +sandbox: + agent: awf tools: github: toolsets: [default] diff --git a/.github/workflows/portfolio-analyst.md b/.github/workflows/portfolio-analyst.md index d1f042d09af..3731848bc66 100644 --- a/.github/workflows/portfolio-analyst.md +++ b/.github/workflows/portfolio-analyst.md @@ -12,6 +12,8 @@ tracker-id: portfolio-analyst-weekly engine: copilot network: allowed: [python] +sandbox: + agent: awf tools: github: toolsets: [default] @@ -30,6 +32,7 @@ safe-outputs: close-older-discussions: true upload-assets: timeout-minutes: 20 +strict: true imports: - shared/mcp/gh-aw.md - shared/reporting.md diff --git a/.github/workflows/pr-nitpick-reviewer.md b/.github/workflows/pr-nitpick-reviewer.md index 73c0086eb1f..9c0d0af97d3 100644 --- a/.github/workflows/pr-nitpick-reviewer.md +++ b/.github/workflows/pr-nitpick-reviewer.md @@ -7,6 +7,8 @@ permissions: pull-requests: read actions: read engine: copilot +sandbox: + agent: awf tools: cache-memory: true github: @@ -27,6 +29,7 @@ safe-outputs: run-success: "🔍 Nitpicks catalogued! [{workflow_name}]({run_url}) has documented all the tiny details. Perfection awaits! ✅" run-failure: "🔬 Lens cracked! [{workflow_name}]({run_url}) {status}. Some nitpicks remain undetected..." timeout-minutes: 15 +strict: true imports: - shared/reporting.md --- diff --git a/.github/workflows/prompt-clustering-analysis.md b/.github/workflows/prompt-clustering-analysis.md index 1f7f503774a..5ae02469ea7 100644 --- a/.github/workflows/prompt-clustering-analysis.md +++ b/.github/workflows/prompt-clustering-analysis.md @@ -11,7 +11,7 @@ permissions: issues: read actions: read engine: claude -strict: false +strict: true network: allowed: @@ -39,6 +39,8 @@ cache: restore-keys: | prompt-clustering-cache- +sandbox: + agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/python-data-charts.md b/.github/workflows/python-data-charts.md index 26f2d1a93fe..24a44a9c708 100644 --- a/.github/workflows/python-data-charts.md +++ b/.github/workflows/python-data-charts.md @@ -8,6 +8,8 @@ permissions: issues: read pull-requests: read engine: copilot +sandbox: + agent: awf tools: agentic-workflows: edit: @@ -19,6 +21,7 @@ safe-outputs: category: "artifacts" max: 1 timeout-minutes: 15 +strict: true --- # Python Data Visualization Generator diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 0274cd8d19e..4eae8a73f3b 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -2948,6 +2948,8 @@ jobs: Example: ```yaml + sandbox: + agent: awf tools: github: allowed: diff --git a/.github/workflows/q.md b/.github/workflows/q.md index f8213660366..0cb6a6932ff 100644 --- a/.github/workflows/q.md +++ b/.github/workflows/q.md @@ -16,6 +16,8 @@ engine: copilot imports: - shared/mcp/gh-aw.md - shared/mcp/tavily.md +sandbox: + agent: awf tools: serena: ["go"] github: @@ -181,6 +183,8 @@ If logs show missing tool reports: Example: ```yaml +sandbox: + agent: awf tools: github: allowed: diff --git a/.github/workflows/release.md b/.github/workflows/release.md index 9decdd24397..1610a72a971 100644 --- a/.github/workflows/release.md +++ b/.github/workflows/release.md @@ -25,6 +25,7 @@ tools: bash: - "*" edit: +strict: true safe-outputs: update-release: jobs: diff --git a/.github/workflows/repo-tree-map.md b/.github/workflows/repo-tree-map.md index 7db075d0af7..81bc153d6b9 100644 --- a/.github/workflows/repo-tree-map.md +++ b/.github/workflows/repo-tree-map.md @@ -11,6 +11,8 @@ permissions: engine: copilot +sandbox: + agent: awf tools: edit: bash: @@ -23,6 +25,7 @@ safe-outputs: close-older-discussions: true timeout-minutes: 5 +strict: true imports: - shared/reporting.md --- diff --git a/.github/workflows/repository-quality-improver.md b/.github/workflows/repository-quality-improver.md index 58460bb211d..ff6c3c25e03 100644 --- a/.github/workflows/repository-quality-improver.md +++ b/.github/workflows/repository-quality-improver.md @@ -10,6 +10,8 @@ permissions: issues: read pull-requests: read engine: copilot +sandbox: + agent: awf tools: serena: ["go"] edit: diff --git a/.github/workflows/safe-output-health.md b/.github/workflows/safe-output-health.md index be35f016311..f2b6ff0c709 100644 --- a/.github/workflows/safe-output-health.md +++ b/.github/workflows/safe-output-health.md @@ -9,6 +9,8 @@ permissions: pull-requests: read actions: read engine: claude +sandbox: + agent: awf tools: cache-memory: true timeout: 300 diff --git a/.github/workflows/schema-consistency-checker.md b/.github/workflows/schema-consistency-checker.md index ef8b83b3ad1..39d360c1881 100644 --- a/.github/workflows/schema-consistency-checker.md +++ b/.github/workflows/schema-consistency-checker.md @@ -9,6 +9,8 @@ permissions: issues: read pull-requests: read engine: claude +sandbox: + agent: awf tools: edit: bash: ["*"] @@ -24,6 +26,7 @@ safe-outputs: max: 1 close-older-discussions: true timeout-minutes: 30 +strict: true imports: - shared/reporting.md --- diff --git a/.github/workflows/scout.md b/.github/workflows/scout.md index ab9103a68fa..98676a764ae 100644 --- a/.github/workflows/scout.md +++ b/.github/workflows/scout.md @@ -24,6 +24,8 @@ imports: - shared/mcp/context7.md - shared/mcp/markitdown.md - shared/jqschema.md +sandbox: + agent: awf tools: edit: cache-memory: true diff --git a/.github/workflows/security-compliance.md b/.github/workflows/security-compliance.md index 3869999f71a..05d1584e02e 100644 --- a/.github/workflows/security-compliance.md +++ b/.github/workflows/security-compliance.md @@ -30,6 +30,8 @@ safe-outputs: max: 100 # 1 epic + vulnerability tasks labels: [security, campaign-tracker] +sandbox: + agent: awf tools: github: toolsets: [repos, search, code_security] diff --git a/.github/workflows/security-fix-pr.md b/.github/workflows/security-fix-pr.md index ea3c10790cc..6c56d4d4701 100644 --- a/.github/workflows/security-fix-pr.md +++ b/.github/workflows/security-fix-pr.md @@ -15,6 +15,8 @@ permissions: pull-requests: read security-events: read engine: claude +sandbox: + agent: awf tools: github: toolsets: [context, repos, code_security, pull_requests] @@ -27,6 +29,7 @@ safe-outputs: labels: [security, automated-fix] reviewers: copilot timeout-minutes: 20 +strict: true --- # Security Issue Fix Agent diff --git a/.github/workflows/semantic-function-refactor.md b/.github/workflows/semantic-function-refactor.md index d4d3959fd01..5349927294e 100644 --- a/.github/workflows/semantic-function-refactor.md +++ b/.github/workflows/semantic-function-refactor.md @@ -25,6 +25,8 @@ safe-outputs: labels: [refactoring, code-quality, automated-analysis] max: 1 +sandbox: + agent: awf tools: github: toolsets: [default, issues] diff --git a/.github/workflows/slide-deck-maintainer.md b/.github/workflows/slide-deck-maintainer.md index 30bcfe2dddd..58cf39436a6 100644 --- a/.github/workflows/slide-deck-maintainer.md +++ b/.github/workflows/slide-deck-maintainer.md @@ -18,6 +18,9 @@ permissions: tracker-id: slide-deck-maintainer engine: copilot timeout-minutes: 45 +strict: true +sandbox: + agent: awf tools: cache-memory: true playwright: diff --git a/.github/workflows/smoke-claude.md b/.github/workflows/smoke-claude.md index fa50835662f..74b87c60636 100644 --- a/.github/workflows/smoke-claude.md +++ b/.github/workflows/smoke-claude.md @@ -24,6 +24,8 @@ network: - defaults - github - playwright +sandbox: + agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/smoke-codex-firewall.md b/.github/workflows/smoke-codex-firewall.md index 9594a403a32..676b11cb946 100644 --- a/.github/workflows/smoke-codex-firewall.md +++ b/.github/workflows/smoke-codex-firewall.md @@ -14,7 +14,7 @@ permissions: pull-requests: read name: Smoke Codex Firewall engine: codex -strict: false +strict: true network: allowed: - defaults @@ -33,6 +33,8 @@ safe-outputs: run-success: "✅ Firewall validation complete... [{workflow_name}]({run_url}) confirmed network sandboxing is operational. 🛡️" run-failure: "❌ Firewall validation failed... [{workflow_name}]({run_url}) {status}. Network sandboxing may not be working correctly." timeout-minutes: 10 +sandbox: + agent: awf tools: github: bash: diff --git a/.github/workflows/smoke-codex.md b/.github/workflows/smoke-codex.md index 50c0ced02e4..f1156776662 100644 --- a/.github/workflows/smoke-codex.md +++ b/.github/workflows/smoke-codex.md @@ -14,12 +14,14 @@ permissions: pull-requests: read name: Smoke Codex engine: codex -strict: false +strict: true network: allowed: - defaults - github - playwright +sandbox: + agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/smoke-copilot-playwright.md b/.github/workflows/smoke-copilot-playwright.md index 7b0a1855e5c..5fe80c96e33 100644 --- a/.github/workflows/smoke-copilot-playwright.md +++ b/.github/workflows/smoke-copilot-playwright.md @@ -56,7 +56,7 @@ safe-outputs: run-success: "📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤" run-failure: "📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident..." timeout-minutes: 5 -strict: false +strict: true steps: # Pre-flight Docker container test for Playwright MCP - name: Pre-flight Playwright MCP Test diff --git a/.github/workflows/smoke-copilot-safe-inputs.md b/.github/workflows/smoke-copilot-safe-inputs.md index ddb8e47862e..f90f432e92e 100644 --- a/.github/workflows/smoke-copilot-safe-inputs.md +++ b/.github/workflows/smoke-copilot-safe-inputs.md @@ -20,6 +20,8 @@ network: - github imports: - shared/gh.md +sandbox: + agent: awf tools: edit: bash: diff --git a/.github/workflows/smoke-copilot.md b/.github/workflows/smoke-copilot.md index a4bca74b7bc..e04e4d56b11 100644 --- a/.github/workflows/smoke-copilot.md +++ b/.github/workflows/smoke-copilot.md @@ -40,7 +40,7 @@ safe-outputs: run-success: "📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤" run-failure: "📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident..." timeout-minutes: 5 -strict: false +strict: true --- # Smoke Test: Copilot Engine Validation diff --git a/.github/workflows/smoke-detector.md b/.github/workflows/smoke-detector.md index e2fa7a658f6..05e574abd45 100644 --- a/.github/workflows/smoke-detector.md +++ b/.github/workflows/smoke-detector.md @@ -52,11 +52,13 @@ engine: claude imports: - shared/mcp/gh-aw.md - shared/reporting.md +sandbox: + agent: awf tools: cache-memory: true github: toolsets: [default, actions] -strict: false +strict: true --- # Smoke Detector - Smoke Test Failure Investigator diff --git a/.github/workflows/spec-kit-execute.md b/.github/workflows/spec-kit-execute.md index b03a7200b8d..35c74a871c0 100644 --- a/.github/workflows/spec-kit-execute.md +++ b/.github/workflows/spec-kit-execute.md @@ -13,7 +13,7 @@ permissions: tracker-id: spec-kit-execute engine: copilot -strict: false +strict: true safe-outputs: create-pull-request: @@ -22,6 +22,8 @@ safe-outputs: reviewers: copilot draft: false +sandbox: + agent: awf tools: cache-memory: true repo-memory: true diff --git a/.github/workflows/spec-kit-executor.md b/.github/workflows/spec-kit-executor.md index 2197726f1cb..9fa0e9cc804 100644 --- a/.github/workflows/spec-kit-executor.md +++ b/.github/workflows/spec-kit-executor.md @@ -14,7 +14,7 @@ permissions: tracker-id: spec-kit-executor engine: copilot -strict: false +strict: true network: allowed: @@ -28,6 +28,8 @@ safe-outputs: reviewers: copilot draft: false +sandbox: + agent: awf tools: cache-memory: true repo-memory: true diff --git a/.github/workflows/speckit-dispatcher.md b/.github/workflows/speckit-dispatcher.md index d0f74880f45..5d9f298dd4b 100644 --- a/.github/workflows/speckit-dispatcher.md +++ b/.github/workflows/speckit-dispatcher.md @@ -13,11 +13,13 @@ permissions: pull-requests: read engine: copilot -strict: false +strict: true imports: - ../agents/speckit-dispatcher.agent.md +sandbox: + agent: awf tools: github: toolsets: [default] diff --git a/.github/workflows/stale-repo-identifier.md b/.github/workflows/stale-repo-identifier.md index 790c908ab47..35976c80ea5 100644 --- a/.github/workflows/stale-repo-identifier.md +++ b/.github/workflows/stale-repo-identifier.md @@ -18,7 +18,7 @@ permissions: actions: read engine: copilot -strict: false +strict: true timeout-minutes: 45 imports: @@ -43,6 +43,8 @@ safe-outputs: run-success: "✅ Analysis complete! [{workflow_name}]({run_url}) has finished analyzing stale repositories." run-failure: "⚠️ Analysis interrupted! [{workflow_name}]({run_url}) {status}." +sandbox: + agent: awf tools: github: read-only: true diff --git a/.github/workflows/static-analysis-report.md b/.github/workflows/static-analysis-report.md index b10af8f50ed..4cc73ea4567 100644 --- a/.github/workflows/static-analysis-report.md +++ b/.github/workflows/static-analysis-report.md @@ -9,6 +9,8 @@ permissions: issues: read pull-requests: read engine: claude +sandbox: + agent: awf tools: github: toolsets: diff --git a/.github/workflows/sub-issue-closer.md b/.github/workflows/sub-issue-closer.md index 6c92aec804b..9cbcf0b5d11 100644 --- a/.github/workflows/sub-issue-closer.md +++ b/.github/workflows/sub-issue-closer.md @@ -12,6 +12,8 @@ strict: true network: allowed: - defaults +sandbox: + agent: awf tools: github: toolsets: diff --git a/.github/workflows/super-linter.md b/.github/workflows/super-linter.md index 1268c037c62..d03259ba7c5 100644 --- a/.github/workflows/super-linter.md +++ b/.github/workflows/super-linter.md @@ -16,6 +16,7 @@ safe-outputs: engine: copilot name: Super Linter Report timeout-minutes: 15 +strict: true imports: - shared/reporting.md jobs: @@ -72,6 +73,8 @@ steps: with: name: super-linter-log path: /tmp/gh-aw/ +sandbox: + agent: awf tools: cache-memory: true edit: diff --git a/.github/workflows/technical-doc-writer.md b/.github/workflows/technical-doc-writer.md index 3ad96a21270..e6a7b12aa3f 100644 --- a/.github/workflows/technical-doc-writer.md +++ b/.github/workflows/technical-doc-writer.md @@ -59,6 +59,8 @@ steps: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: npm run build +sandbox: + agent: awf tools: cache-memory: true github: @@ -67,6 +69,7 @@ tools: bash: timeout-minutes: 10 +strict: true --- diff --git a/.github/workflows/tidy.md b/.github/workflows/tidy.md index e69e92ed3f4..e8bbd50b20d 100644 --- a/.github/workflows/tidy.md +++ b/.github/workflows/tidy.md @@ -28,6 +28,8 @@ timeout-minutes: 10 network: {} +sandbox: + agent: awf tools: github: toolsets: [default] diff --git a/.github/workflows/typist.md b/.github/workflows/typist.md index 5a38c64d4f9..284a1f0da95 100644 --- a/.github/workflows/typist.md +++ b/.github/workflows/typist.md @@ -22,6 +22,8 @@ safe-outputs: max: 1 close-older-discussions: true +sandbox: + agent: awf tools: serena: ["go"] github: diff --git a/.github/workflows/unbloat-docs.md b/.github/workflows/unbloat-docs.md index 58b87721a54..51736bafd49 100644 --- a/.github/workflows/unbloat-docs.md +++ b/.github/workflows/unbloat-docs.md @@ -19,7 +19,7 @@ permissions: pull-requests: read issues: read -strict: false +strict: true # AI engine configuration engine: @@ -37,6 +37,8 @@ network: - github # Tools configuration +sandbox: + agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/video-analyzer.md b/.github/workflows/video-analyzer.md index 8e94182c247..a141f0ce9e2 100644 --- a/.github/workflows/video-analyzer.md +++ b/.github/workflows/video-analyzer.md @@ -18,6 +18,8 @@ engine: copilot imports: - shared/ffmpeg.md +sandbox: + agent: awf tools: bash: diff --git a/.github/workflows/workflow-generator.md b/.github/workflows/workflow-generator.md index d7527095ca1..b4659c54828 100644 --- a/.github/workflows/workflow-generator.md +++ b/.github/workflows/workflow-generator.md @@ -9,6 +9,8 @@ permissions: issues: read pull-requests: read engine: copilot +sandbox: + agent: awf tools: github: toolsets: [default] @@ -20,6 +22,7 @@ safe-outputs: target: "${{ github.event.issue.number }}" assign-to-agent: timeout-minutes: 5 +strict: true --- {{#runtime-import? .github/shared-instructions.md}} From dcbcc58424e492e98ae3f0adff09b64fc1f35bbe Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Dec 2025 22:11:40 +0000 Subject: [PATCH 4/5] Revert unnecessary changes: only change strict: false to strict: true Per feedback, strict: true and sandbox: agent: awf should be defaults. Only workflows that explicitly had strict: false are changed to strict: true. Workflows without strict: setting remain unchanged to test defaults. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ai-moderator.md | 6 ------ .github/workflows/archie.md | 2 -- .github/workflows/audit-workflows.md | 3 --- .github/workflows/blog-auditor.md | 2 -- .github/workflows/brave.md | 2 -- .github/workflows/breaking-change-checker.md | 3 --- .github/workflows/campaign-generator.md | 3 --- .github/workflows/changeset.md | 2 -- .github/workflows/ci-coach.md | 3 --- .github/workflows/cli-consistency-checker.md | 3 --- .github/workflows/cli-version-checker.md | 2 -- .github/workflows/cloclo.md | 3 --- .github/workflows/close-old-discussions.md | 2 -- .github/workflows/commit-changes-analyzer.md | 3 --- .github/workflows/copilot-agent-analysis.md | 2 -- .github/workflows/copilot-pr-merged-report.md | 2 -- .github/workflows/copilot-pr-nlp-analysis.md | 1 - .github/workflows/copilot-pr-prompt-analysis.md | 1 - .github/workflows/copilot-session-insights.md | 2 -- .github/workflows/craft.lock.yml | 3 --- .github/workflows/craft.md | 6 ------ .github/workflows/daily-assign-issue-to-user.md | 2 -- .github/workflows/daily-code-metrics.md | 2 -- .github/workflows/daily-copilot-token-report.md | 3 --- .github/workflows/daily-doc-updater.md | 2 -- .github/workflows/daily-fact.md | 2 -- .github/workflows/daily-file-diet.md | 2 -- .github/workflows/daily-issues-report.md | 2 -- .github/workflows/daily-malicious-code-scan.md | 2 -- .github/workflows/daily-multi-device-docs-tester.md | 2 -- .github/workflows/daily-news.md | 1 - .github/workflows/daily-performance-summary.md | 2 -- .github/workflows/daily-repo-chronicle.md | 1 - .github/workflows/daily-workflow-updater.md | 2 -- .github/workflows/deep-report.md | 2 -- .github/workflows/dev-hawk.md | 2 -- .github/workflows/dev.md | 2 -- .github/workflows/developer-docs-consolidator.md | 2 -- .github/workflows/dictation-prompt.md | 3 --- .github/workflows/docs-noob-tester.md | 3 --- .github/workflows/duplicate-code-detector.md | 2 -- .github/workflows/example-workflow-analyzer.md | 3 --- .github/workflows/firewall.md | 1 - .github/workflows/github-mcp-structural-analysis.md | 2 -- .github/workflows/github-mcp-tools-report.lock.yml | 2 -- .github/workflows/github-mcp-tools-report.md | 5 ----- .github/workflows/glossary-maintainer.md | 3 --- .github/workflows/go-fan.md | 2 -- .github/workflows/go-logger.md | 3 --- .github/workflows/go-pattern-detector.md | 2 -- .github/workflows/grumpy-reviewer.md | 3 --- .github/workflows/hourly-ci-cleaner.md | 3 --- .github/workflows/human-ai-collaboration.md | 2 -- .github/workflows/incident-response.md | 2 -- .github/workflows/instructions-janitor.md | 2 -- .github/workflows/intelligence.md | 2 -- .github/workflows/issue-arborist.md | 2 -- .github/workflows/issue-monster.md | 3 --- .github/workflows/jsweep.md | 2 -- .github/workflows/layout-spec-maintainer.md | 2 -- .github/workflows/lockfile-stats.md | 2 -- .github/workflows/mergefest.md | 2 -- .github/workflows/org-health-report.md | 2 -- .github/workflows/org-wide-rollout.md | 2 -- .github/workflows/pdf-summary.md | 2 -- .github/workflows/plan.md | 3 --- .github/workflows/poem-bot.md | 2 -- .github/workflows/portfolio-analyst.md | 3 --- .github/workflows/pr-nitpick-reviewer.md | 3 --- .github/workflows/prompt-clustering-analysis.md | 2 -- .github/workflows/python-data-charts.md | 3 --- .github/workflows/q.lock.yml | 2 -- .github/workflows/q.md | 4 ---- .github/workflows/release.md | 1 - .github/workflows/repo-tree-map.md | 3 --- .github/workflows/repository-quality-improver.md | 2 -- .github/workflows/safe-output-health.md | 2 -- .github/workflows/schema-consistency-checker.md | 3 --- .github/workflows/scout.md | 2 -- .github/workflows/security-compliance.md | 2 -- .github/workflows/security-fix-pr.md | 3 --- .github/workflows/semantic-function-refactor.md | 2 -- .github/workflows/slide-deck-maintainer.md | 3 --- .github/workflows/smoke-claude.md | 2 -- .github/workflows/smoke-codex-firewall.md | 2 -- .github/workflows/smoke-codex.md | 2 -- .github/workflows/smoke-copilot-safe-inputs.md | 2 -- .github/workflows/smoke-detector.md | 2 -- .github/workflows/spec-kit-execute.md | 2 -- .github/workflows/spec-kit-executor.md | 2 -- .github/workflows/speckit-dispatcher.md | 2 -- .github/workflows/stale-repo-identifier.md | 2 -- .github/workflows/static-analysis-report.md | 2 -- .github/workflows/sub-issue-closer.md | 2 -- .github/workflows/super-linter.md | 3 --- .github/workflows/technical-doc-writer.md | 3 --- .github/workflows/tidy.md | 2 -- .github/workflows/typist.md | 2 -- .github/workflows/unbloat-docs.md | 2 -- .github/workflows/video-analyzer.md | 2 -- .github/workflows/workflow-generator.md | 3 --- 101 files changed, 237 deletions(-) diff --git a/.github/workflows/ai-moderator.md b/.github/workflows/ai-moderator.md index 437167c9400..525b96ffdb8 100644 --- a/.github/workflows/ai-moderator.md +++ b/.github/workflows/ai-moderator.md @@ -1,7 +1,6 @@ --- bots: ["agentic-workflows-dev[bot]"] timeout-minutes: 5 -strict: true on: issues: types: [opened] @@ -17,8 +16,6 @@ on: engine: id: copilot model: gpt-5-mini -sandbox: - agent: awf tools: github: mode: local @@ -266,7 +263,6 @@ The workflow is configured in `.github/workflows/ai-moderator.md` with the follo ```yaml timeout-minutes: 5 -strict: true on: issues: types: [opened] @@ -281,8 +277,6 @@ on: engine: id: copilot model: gpt-5-mini -sandbox: - agent: awf tools: github: mode: local diff --git a/.github/workflows/archie.md b/.github/workflows/archie.md index f5dddfda428..518843baaf5 100644 --- a/.github/workflows/archie.md +++ b/.github/workflows/archie.md @@ -13,8 +13,6 @@ permissions: actions: read engine: copilot strict: true -sandbox: - agent: awf tools: serena: ["go"] github: diff --git a/.github/workflows/audit-workflows.md b/.github/workflows/audit-workflows.md index 70b0cb54bc1..d5592829930 100644 --- a/.github/workflows/audit-workflows.md +++ b/.github/workflows/audit-workflows.md @@ -10,8 +10,6 @@ permissions: pull-requests: read tracker-id: audit-workflows-daily engine: claude -sandbox: - agent: awf tools: cache-memory: true timeout: 300 @@ -27,7 +25,6 @@ safe-outputs: max: 1 close-older-discussions: true timeout-minutes: 30 -strict: true imports: - shared/mcp/gh-aw.md - shared/jqschema.md diff --git a/.github/workflows/blog-auditor.md b/.github/workflows/blog-auditor.md index d375ff99a37..332ce5ca3c0 100644 --- a/.github/workflows/blog-auditor.md +++ b/.github/workflows/blog-auditor.md @@ -15,8 +15,6 @@ network: - defaults - githubnext.com - www.githubnext.com -sandbox: - agent: awf tools: playwright: allowed_domains: diff --git a/.github/workflows/brave.md b/.github/workflows/brave.md index ef8c6effd38..bc644614f59 100644 --- a/.github/workflows/brave.md +++ b/.github/workflows/brave.md @@ -12,8 +12,6 @@ engine: copilot strict: true imports: - shared/mcp/brave.md -sandbox: - agent: awf safe-outputs: add-comment: max: 1 diff --git a/.github/workflows/breaking-change-checker.md b/.github/workflows/breaking-change-checker.md index 2f2d66c4176..03fe4d453c5 100644 --- a/.github/workflows/breaking-change-checker.md +++ b/.github/workflows/breaking-change-checker.md @@ -9,8 +9,6 @@ permissions: actions: read engine: copilot tracker-id: breaking-change-checker -sandbox: - agent: awf tools: github: toolsets: [repos] @@ -33,7 +31,6 @@ safe-outputs: run-success: "✅ Analysis complete! [{workflow_name}]({run_url}) has reviewed all changes. Compatibility verdict delivered! 📋" run-failure: "🔬 Analysis interrupted! [{workflow_name}]({run_url}) {status}. Compatibility status unknown..." timeout-minutes: 10 -strict: true --- # Breaking Change Checker diff --git a/.github/workflows/campaign-generator.md b/.github/workflows/campaign-generator.md index a695461ff81..707aa91a0d9 100644 --- a/.github/workflows/campaign-generator.md +++ b/.github/workflows/campaign-generator.md @@ -9,8 +9,6 @@ permissions: issues: read pull-requests: read engine: copilot -sandbox: - agent: awf tools: github: toolsets: [default] @@ -22,7 +20,6 @@ safe-outputs: target: "${{ github.event.issue.number }}" assign-to-agent: timeout-minutes: 5 -strict: true --- {{#runtime-import? .github/shared-instructions.md}} diff --git a/.github/workflows/changeset.md b/.github/workflows/changeset.md index 66ba072527b..45cd2ee578c 100644 --- a/.github/workflows/changeset.md +++ b/.github/workflows/changeset.md @@ -28,8 +28,6 @@ network: allowed: - defaults - node -sandbox: - agent: awf tools: bash: - "*" diff --git a/.github/workflows/ci-coach.md b/.github/workflows/ci-coach.md index 1e822f53599..eb8194b2a39 100644 --- a/.github/workflows/ci-coach.md +++ b/.github/workflows/ci-coach.md @@ -11,8 +11,6 @@ permissions: issues: read tracker-id: ci-coach-daily engine: copilot -sandbox: - agent: awf tools: github: toolsets: [default] @@ -83,7 +81,6 @@ safe-outputs: create-pull-request: title-prefix: "[ci-coach] " timeout-minutes: 30 -strict: true imports: - shared/jqschema.md - shared/reporting.md diff --git a/.github/workflows/cli-consistency-checker.md b/.github/workflows/cli-consistency-checker.md index 1e379f06a24..41093264ad7 100644 --- a/.github/workflows/cli-consistency-checker.md +++ b/.github/workflows/cli-consistency-checker.md @@ -12,8 +12,6 @@ permissions: engine: copilot network: allowed: [defaults, node, "api.github.com"] -sandbox: - agent: awf tools: edit: web-fetch: @@ -25,7 +23,6 @@ safe-outputs: labels: [automation, cli, documentation] max: 5 timeout-minutes: 20 -strict: true --- # CLI Consistency Checker diff --git a/.github/workflows/cli-version-checker.md b/.github/workflows/cli-version-checker.md index f3f88af65ac..425b6c20588 100644 --- a/.github/workflows/cli-version-checker.md +++ b/.github/workflows/cli-version-checker.md @@ -13,8 +13,6 @@ network: allowed: [defaults, node, "api.github.com", "ghcr.io"] imports: - shared/jqschema.md -sandbox: - agent: awf tools: web-fetch: cache-memory: true diff --git a/.github/workflows/cloclo.md b/.github/workflows/cloclo.md index 0137d2c9f6d..1a06a25f517 100644 --- a/.github/workflows/cloclo.md +++ b/.github/workflows/cloclo.md @@ -20,8 +20,6 @@ engine: imports: - shared/mcp/gh-aw.md - shared/jqschema.md -sandbox: - agent: awf tools: serena: ["go"] edit: @@ -40,7 +38,6 @@ safe-outputs: run-success: "🎤 Bravo! [{workflow_name}]({run_url}) has delivered a stunning performance! Standing ovation! 🌟" run-failure: "🎵 Intermission... [{workflow_name}]({run_url}) {status}. The show must go on... eventually!" timeout-minutes: 20 -strict: true --- # /cloclo diff --git a/.github/workflows/close-old-discussions.md b/.github/workflows/close-old-discussions.md index ce762245535..0c0865ad8cb 100644 --- a/.github/workflows/close-old-discussions.md +++ b/.github/workflows/close-old-discussions.md @@ -14,8 +14,6 @@ engine: codex imports: - shared/jqschema.md - shared/discussions-data-fetch.md -sandbox: - agent: awf tools: github: toolsets: [default, discussions] diff --git a/.github/workflows/commit-changes-analyzer.md b/.github/workflows/commit-changes-analyzer.md index d19ccb7a38a..bfe0dbc9ee2 100644 --- a/.github/workflows/commit-changes-analyzer.md +++ b/.github/workflows/commit-changes-analyzer.md @@ -15,8 +15,6 @@ permissions: engine: id: claude max-turns: 100 -sandbox: - agent: awf tools: github: toolsets: [default] @@ -28,7 +26,6 @@ safe-outputs: category: "dev" max: 1 timeout-minutes: 30 -strict: true imports: - shared/reporting.md --- diff --git a/.github/workflows/copilot-agent-analysis.md b/.github/workflows/copilot-agent-analysis.md index b552e275550..f92793dad6e 100644 --- a/.github/workflows/copilot-agent-analysis.md +++ b/.github/workflows/copilot-agent-analysis.md @@ -33,8 +33,6 @@ imports: - shared/reporting.md - shared/copilot-pr-data-fetch.md -sandbox: - agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/copilot-pr-merged-report.md b/.github/workflows/copilot-pr-merged-report.md index 199cea00b09..60c7b3b4f8f 100644 --- a/.github/workflows/copilot-pr-merged-report.md +++ b/.github/workflows/copilot-pr-merged-report.md @@ -16,8 +16,6 @@ permissions: engine: copilot strict: true -sandbox: - agent: awf tools: github: false edit: diff --git a/.github/workflows/copilot-pr-nlp-analysis.md b/.github/workflows/copilot-pr-nlp-analysis.md index 8fee7e93d83..6a4ccf2d722 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.md +++ b/.github/workflows/copilot-pr-nlp-analysis.md @@ -23,7 +23,6 @@ network: sandbox: agent: awf # Firewall enabled (migrated from network.firewall) -strict: true safe-outputs: create-discussion: title-prefix: "[nlp-analysis] " diff --git a/.github/workflows/copilot-pr-prompt-analysis.md b/.github/workflows/copilot-pr-prompt-analysis.md index ba9240348ea..90d1174ac13 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.md +++ b/.github/workflows/copilot-pr-prompt-analysis.md @@ -22,7 +22,6 @@ network: sandbox: agent: awf # Firewall enabled (migrated from network.firewall) -strict: true safe-outputs: create-discussion: title-prefix: "[prompt-analysis] " diff --git a/.github/workflows/copilot-session-insights.md b/.github/workflows/copilot-session-insights.md index 8fbc5045bb6..098a9006679 100644 --- a/.github/workflows/copilot-session-insights.md +++ b/.github/workflows/copilot-session-insights.md @@ -30,8 +30,6 @@ safe-outputs: max: 1 close-older-discussions: true -sandbox: - agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 1d377b53066..a1d9f721ea7 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -2890,15 +2890,12 @@ jobs: contents: read issues: write engine: copilot - sandbox: - agent: awf tools: github: toolsets: [default] safe-outputs: add-comment: timeout-minutes: 10 - strict: true --- # My Workflow Title diff --git a/.github/workflows/craft.md b/.github/workflows/craft.md index e47d6c3fc91..c33f8fc1e40 100644 --- a/.github/workflows/craft.md +++ b/.github/workflows/craft.md @@ -9,8 +9,6 @@ permissions: issues: read pull-requests: read engine: copilot -sandbox: - agent: awf tools: edit: bash: @@ -23,7 +21,6 @@ steps: gh extension remove gh-aw || true gh extension install . timeout-minutes: 15 -strict: true safe-outputs: add-comment: max: 1 @@ -230,15 +227,12 @@ permissions: contents: read issues: write engine: copilot -sandbox: - agent: awf tools: github: toolsets: [default] safe-outputs: add-comment: timeout-minutes: 10 -strict: true --- # My Workflow Title diff --git a/.github/workflows/daily-assign-issue-to-user.md b/.github/workflows/daily-assign-issue-to-user.md index e4ad3365be2..7b25b532b4e 100644 --- a/.github/workflows/daily-assign-issue-to-user.md +++ b/.github/workflows/daily-assign-issue-to-user.md @@ -9,8 +9,6 @@ permissions: pull-requests: read contents: read engine: copilot -sandbox: - agent: awf tools: github: toolsets: [issues, pull_requests, repos] diff --git a/.github/workflows/daily-code-metrics.md b/.github/workflows/daily-code-metrics.md index 36a61143faf..0a7fa0b8ffc 100644 --- a/.github/workflows/daily-code-metrics.md +++ b/.github/workflows/daily-code-metrics.md @@ -9,8 +9,6 @@ permissions: pull-requests: read tracker-id: daily-code-metrics engine: claude -sandbox: - agent: awf tools: cache-memory: - id: metrics diff --git a/.github/workflows/daily-copilot-token-report.md b/.github/workflows/daily-copilot-token-report.md index d4a93f501e7..de5059e85e8 100644 --- a/.github/workflows/daily-copilot-token-report.md +++ b/.github/workflows/daily-copilot-token-report.md @@ -11,8 +11,6 @@ permissions: pull-requests: read tracker-id: daily-copilot-token-report engine: copilot -sandbox: - agent: awf tools: cache-memory: - id: token-metrics @@ -43,7 +41,6 @@ safe-outputs: max: 1 close-older-discussions: true timeout-minutes: 20 -strict: true imports: - shared/reporting.md - shared/python-dataviz.md diff --git a/.github/workflows/daily-doc-updater.md b/.github/workflows/daily-doc-updater.md index 658061c20e9..fb7b281fee1 100644 --- a/.github/workflows/daily-doc-updater.md +++ b/.github/workflows/daily-doc-updater.md @@ -28,8 +28,6 @@ safe-outputs: reviewers: copilot draft: false -sandbox: - agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/daily-fact.md b/.github/workflows/daily-fact.md index 6c9ab325874..20539becc45 100644 --- a/.github/workflows/daily-fact.md +++ b/.github/workflows/daily-fact.md @@ -21,8 +21,6 @@ network: allowed: - defaults -sandbox: - agent: awf tools: github: toolsets: diff --git a/.github/workflows/daily-file-diet.md b/.github/workflows/daily-file-diet.md index 3ef3eddaa2a..41dcb69380a 100644 --- a/.github/workflows/daily-file-diet.md +++ b/.github/workflows/daily-file-diet.md @@ -26,8 +26,6 @@ safe-outputs: labels: [refactoring, code-health, automated-analysis] max: 1 -sandbox: - agent: awf tools: serena: ["go"] github: diff --git a/.github/workflows/daily-issues-report.md b/.github/workflows/daily-issues-report.md index 75629c7d444..204fd04b772 100644 --- a/.github/workflows/daily-issues-report.md +++ b/.github/workflows/daily-issues-report.md @@ -12,8 +12,6 @@ permissions: engine: codex strict: true tracker-id: daily-issues-report -sandbox: - agent: awf tools: github: toolsets: [default, discussions] diff --git a/.github/workflows/daily-malicious-code-scan.md b/.github/workflows/daily-malicious-code-scan.md index 1a51eedc70d..761858d43a1 100644 --- a/.github/workflows/daily-malicious-code-scan.md +++ b/.github/workflows/daily-malicious-code-scan.md @@ -9,8 +9,6 @@ permissions: security-events: read tracker-id: malicious-code-scan engine: copilot -sandbox: - agent: awf tools: github: toolsets: [repos, code_security] diff --git a/.github/workflows/daily-multi-device-docs-tester.md b/.github/workflows/daily-multi-device-docs-tester.md index 66bce123193..2c9623f7ff3 100644 --- a/.github/workflows/daily-multi-device-docs-tester.md +++ b/.github/workflows/daily-multi-device-docs-tester.md @@ -19,8 +19,6 @@ engine: max-turns: 30 # Prevent runaway token usage strict: true timeout-minutes: 30 -sandbox: - agent: awf tools: playwright: version: "v1.56.1" diff --git a/.github/workflows/daily-news.md b/.github/workflows/daily-news.md index 56ec5cef7fa..6be3809631f 100644 --- a/.github/workflows/daily-news.md +++ b/.github/workflows/daily-news.md @@ -26,7 +26,6 @@ network: sandbox: agent: awf # Firewall enabled (migrated from network.firewall) -strict: true safe-outputs: upload-assets: create-discussion: diff --git a/.github/workflows/daily-performance-summary.md b/.github/workflows/daily-performance-summary.md index 8d3ef384a5f..36728bfa6d9 100644 --- a/.github/workflows/daily-performance-summary.md +++ b/.github/workflows/daily-performance-summary.md @@ -12,8 +12,6 @@ permissions: engine: codex strict: true tracker-id: daily-performance-summary -sandbox: - agent: awf tools: github: toolsets: [default, discussions] diff --git a/.github/workflows/daily-repo-chronicle.md b/.github/workflows/daily-repo-chronicle.md index 52845fd1049..feb1219fc78 100644 --- a/.github/workflows/daily-repo-chronicle.md +++ b/.github/workflows/daily-repo-chronicle.md @@ -29,7 +29,6 @@ tools: toolsets: - default - discussions -strict: true safe-outputs: upload-assets: create-discussion: diff --git a/.github/workflows/daily-workflow-updater.md b/.github/workflows/daily-workflow-updater.md index b134837fc0b..b3f7edf54a4 100644 --- a/.github/workflows/daily-workflow-updater.md +++ b/.github/workflows/daily-workflow-updater.md @@ -27,8 +27,6 @@ safe-outputs: labels: [dependencies, automation] draft: false -sandbox: - agent: awf tools: github: toolsets: [default] diff --git a/.github/workflows/deep-report.md b/.github/workflows/deep-report.md index 85206c2bbe0..4284281c03a 100644 --- a/.github/workflows/deep-report.md +++ b/.github/workflows/deep-report.md @@ -33,8 +33,6 @@ safe-outputs: max: 1 close-older-discussions: true -sandbox: - agent: awf tools: repo-memory: branch-name: memory/deep-report diff --git a/.github/workflows/dev-hawk.md b/.github/workflows/dev-hawk.md index 9cd59c01756..29b6d83bf44 100644 --- a/.github/workflows/dev-hawk.md +++ b/.github/workflows/dev-hawk.md @@ -15,8 +15,6 @@ permissions: actions: read pull-requests: read engine: copilot -sandbox: - agent: awf tools: github: toolsets: [pull_requests, actions, repos] diff --git a/.github/workflows/dev.md b/.github/workflows/dev.md index 43f6ddf37a7..4df0e5c1dad 100644 --- a/.github/workflows/dev.md +++ b/.github/workflows/dev.md @@ -11,8 +11,6 @@ permissions: contents: read discussions: read -sandbox: - agent: awf tools: github: toolsets: [discussions] diff --git a/.github/workflows/developer-docs-consolidator.md b/.github/workflows/developer-docs-consolidator.md index 385bd506541..06f224d111f 100644 --- a/.github/workflows/developer-docs-consolidator.md +++ b/.github/workflows/developer-docs-consolidator.md @@ -31,8 +31,6 @@ safe-outputs: labels: [documentation, automation] draft: false -sandbox: - agent: awf tools: serena: ["go"] cache-memory: diff --git a/.github/workflows/dictation-prompt.md b/.github/workflows/dictation-prompt.md index 00144f61fd3..6e83356c41a 100644 --- a/.github/workflows/dictation-prompt.md +++ b/.github/workflows/dictation-prompt.md @@ -18,8 +18,6 @@ network: defaults imports: - shared/reporting.md -sandbox: - agent: awf tools: edit: bash: @@ -34,7 +32,6 @@ safe-outputs: draft: false timeout-minutes: 10 -strict: true --- # Dictation Prompt Generator diff --git a/.github/workflows/docs-noob-tester.md b/.github/workflows/docs-noob-tester.md index a8bc92b5208..3c0a2e689f4 100644 --- a/.github/workflows/docs-noob-tester.md +++ b/.github/workflows/docs-noob-tester.md @@ -10,9 +10,6 @@ permissions: pull-requests: read engine: copilot timeout-minutes: 30 -strict: true -sandbox: - agent: awf tools: playwright: edit: diff --git a/.github/workflows/duplicate-code-detector.md b/.github/workflows/duplicate-code-detector.md index 2cf2e57c2c6..15264466484 100644 --- a/.github/workflows/duplicate-code-detector.md +++ b/.github/workflows/duplicate-code-detector.md @@ -9,8 +9,6 @@ permissions: issues: read pull-requests: read engine: codex -sandbox: - agent: awf tools: serena: ["go"] safe-outputs: diff --git a/.github/workflows/example-workflow-analyzer.md b/.github/workflows/example-workflow-analyzer.md index 1d81fd578b8..c986b2a52a8 100644 --- a/.github/workflows/example-workflow-analyzer.md +++ b/.github/workflows/example-workflow-analyzer.md @@ -9,8 +9,6 @@ permissions: pull-requests: read actions: read engine: claude -sandbox: - agent: awf tools: agentic-workflows: github: @@ -21,7 +19,6 @@ safe-outputs: category: "Audits" close-older-discussions: true timeout-minutes: 10 -strict: true imports: - shared/reporting.md --- diff --git a/.github/workflows/firewall.md b/.github/workflows/firewall.md index 76051b15738..e27b4c9c5f1 100644 --- a/.github/workflows/firewall.md +++ b/.github/workflows/firewall.md @@ -21,7 +21,6 @@ tools: web-fetch: timeout-minutes: 5 -strict: true --- # Firewall Test Agent diff --git a/.github/workflows/github-mcp-structural-analysis.md b/.github/workflows/github-mcp-structural-analysis.md index 82496fc5a19..a857b1ad25d 100644 --- a/.github/workflows/github-mcp-structural-analysis.md +++ b/.github/workflows/github-mcp-structural-analysis.md @@ -15,8 +15,6 @@ permissions: security-events: read engine: claude strict: true -sandbox: - agent: awf tools: github: mode: local diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 9d83d0e41c0..7825fda3a33 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -2279,8 +2279,6 @@ jobs: When configuring the GitHub MCP server in agentic workflows, you can enable specific toolsets: ```yaml - sandbox: - agent: awf tools: github: mode: "remote" # or "local" diff --git a/.github/workflows/github-mcp-tools-report.md b/.github/workflows/github-mcp-tools-report.md index 339bf1131c7..4b7282c9e3d 100644 --- a/.github/workflows/github-mcp-tools-report.md +++ b/.github/workflows/github-mcp-tools-report.md @@ -12,8 +12,6 @@ permissions: repository-projects: read security-events: read engine: claude -sandbox: - agent: awf tools: github: mode: "remote" @@ -31,7 +29,6 @@ safe-outputs: reviewers: copilot draft: false timeout-minutes: 15 -strict: true imports: - shared/reporting.md --- @@ -283,8 +280,6 @@ Based on the analysis of available tools and their usage patterns, the following When configuring the GitHub MCP server in agentic workflows, you can enable specific toolsets: ```yaml -sandbox: - agent: awf tools: github: mode: "remote" # or "local" diff --git a/.github/workflows/glossary-maintainer.md b/.github/workflows/glossary-maintainer.md index d5225dba5af..c6feb0c7e74 100644 --- a/.github/workflows/glossary-maintainer.md +++ b/.github/workflows/glossary-maintainer.md @@ -31,8 +31,6 @@ safe-outputs: labels: [documentation, glossary] draft: false -sandbox: - agent: awf tools: serena: ["go"] cache-memory: true @@ -46,7 +44,6 @@ tools: - "git log --since='7 days ago' --oneline" timeout-minutes: 20 -strict: true --- diff --git a/.github/workflows/go-fan.md b/.github/workflows/go-fan.md index 48382dee6ef..c18be92af06 100644 --- a/.github/workflows/go-fan.md +++ b/.github/workflows/go-fan.md @@ -32,8 +32,6 @@ safe-outputs: max: 1 close-older-discussions: true -sandbox: - agent: awf tools: serena: ["go"] cache-memory: true diff --git a/.github/workflows/go-logger.md b/.github/workflows/go-logger.md index 721e31d303e..d4892097270 100644 --- a/.github/workflows/go-logger.md +++ b/.github/workflows/go-logger.md @@ -34,8 +34,6 @@ steps: run: npm ci working-directory: ./pkg/workflow/js -sandbox: - agent: awf tools: github: toolsets: [default] @@ -52,7 +50,6 @@ tools: cache-memory: timeout-minutes: 15 -strict: true --- # Go Logger Enhancement diff --git a/.github/workflows/go-pattern-detector.md b/.github/workflows/go-pattern-detector.md index 82d8e9ed25d..90f3ee7eb3f 100644 --- a/.github/workflows/go-pattern-detector.md +++ b/.github/workflows/go-pattern-detector.md @@ -52,8 +52,6 @@ timeout-minutes: 10 imports: - shared/mcp/ast-grep.md -sandbox: - agent: awf safe-outputs: create-issue: title-prefix: "[ast-grep] " diff --git a/.github/workflows/grumpy-reviewer.md b/.github/workflows/grumpy-reviewer.md index efb3da2954f..a6d66443d50 100644 --- a/.github/workflows/grumpy-reviewer.md +++ b/.github/workflows/grumpy-reviewer.md @@ -8,8 +8,6 @@ permissions: contents: read pull-requests: read engine: copilot -sandbox: - agent: awf tools: cache-memory: true github: @@ -26,7 +24,6 @@ safe-outputs: run-success: "😤 Fine. [{workflow_name}]({run_url}) finished the review. It wasn't completely terrible. I guess. 🙄" run-failure: "😤 Great. [{workflow_name}]({run_url}) {status}. As if my day couldn't get any worse..." timeout-minutes: 10 -strict: true --- # Grumpy Code Reviewer 🔥 diff --git a/.github/workflows/hourly-ci-cleaner.md b/.github/workflows/hourly-ci-cleaner.md index 453d08ea466..e70079b2c4a 100644 --- a/.github/workflows/hourly-ci-cleaner.md +++ b/.github/workflows/hourly-ci-cleaner.md @@ -11,8 +11,6 @@ permissions: pull-requests: read tracker-id: hourly-ci-cleaner engine: copilot -sandbox: - agent: awf tools: bash: ["*"] edit: @@ -69,7 +67,6 @@ safe-outputs: create-pull-request: title-prefix: "[ca] " timeout-minutes: 45 -strict: true imports: - ../agents/ci-cleaner.agent.md --- diff --git a/.github/workflows/human-ai-collaboration.md b/.github/workflows/human-ai-collaboration.md index b5151c2d00e..b6fbc2a4e88 100644 --- a/.github/workflows/human-ai-collaboration.md +++ b/.github/workflows/human-ai-collaboration.md @@ -24,8 +24,6 @@ safe-outputs: create-issue: max: 1 # Only epic for human review -sandbox: - agent: awf tools: github: toolsets: [repos, issues, search] diff --git a/.github/workflows/incident-response.md b/.github/workflows/incident-response.md index 85e53a55625..58c4781fe6e 100644 --- a/.github/workflows/incident-response.md +++ b/.github/workflows/incident-response.md @@ -32,8 +32,6 @@ permissions: engine: copilot -sandbox: - agent: awf tools: github: toolsets: [repos, issues, pull_requests, search] diff --git a/.github/workflows/instructions-janitor.md b/.github/workflows/instructions-janitor.md index c746cb5c5c8..bee95127b58 100644 --- a/.github/workflows/instructions-janitor.md +++ b/.github/workflows/instructions-janitor.md @@ -24,8 +24,6 @@ safe-outputs: labels: [documentation, automation, instructions] draft: false -sandbox: - agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/intelligence.md b/.github/workflows/intelligence.md index 86fb6f364e6..559d789d4c1 100644 --- a/.github/workflows/intelligence.md +++ b/.github/workflows/intelligence.md @@ -30,8 +30,6 @@ safe-outputs: create-issue: max: 1 # Intelligence report issue -sandbox: - agent: awf tools: github: toolsets: [repos, issues, search] diff --git a/.github/workflows/issue-arborist.md b/.github/workflows/issue-arborist.md index cda70d9e653..b4be948a09c 100644 --- a/.github/workflows/issue-arborist.md +++ b/.github/workflows/issue-arborist.md @@ -15,8 +15,6 @@ network: - github imports: - shared/jqschema.md -sandbox: - agent: awf tools: github: toolsets: diff --git a/.github/workflows/issue-monster.md b/.github/workflows/issue-monster.md index 54e97dec5ac..f66b0dbace7 100644 --- a/.github/workflows/issue-monster.md +++ b/.github/workflows/issue-monster.md @@ -15,10 +15,7 @@ permissions: engine: copilot timeout-minutes: 30 -strict: true -sandbox: - agent: awf tools: github: toolsets: [default, pull_requests] diff --git a/.github/workflows/jsweep.md b/.github/workflows/jsweep.md index 5a8f57471b9..a96888f9e27 100644 --- a/.github/workflows/jsweep.md +++ b/.github/workflows/jsweep.md @@ -10,8 +10,6 @@ permissions: pull-requests: read tracker-id: jsweep-daily engine: copilot -sandbox: - agent: awf tools: serena: ["typescript"] github: diff --git a/.github/workflows/layout-spec-maintainer.md b/.github/workflows/layout-spec-maintainer.md index 1630f5be16e..3641f17d597 100644 --- a/.github/workflows/layout-spec-maintainer.md +++ b/.github/workflows/layout-spec-maintainer.md @@ -30,8 +30,6 @@ safe-outputs: labels: [documentation, automation] draft: false -sandbox: - agent: awf tools: github: toolsets: [default] diff --git a/.github/workflows/lockfile-stats.md b/.github/workflows/lockfile-stats.md index 765764b05dc..e437eed043e 100644 --- a/.github/workflows/lockfile-stats.md +++ b/.github/workflows/lockfile-stats.md @@ -8,8 +8,6 @@ permissions: issues: read pull-requests: read engine: claude -sandbox: - agent: awf tools: cache-memory: true bash: diff --git a/.github/workflows/mergefest.md b/.github/workflows/mergefest.md index d9d9fc495c3..7ac3d499df7 100644 --- a/.github/workflows/mergefest.md +++ b/.github/workflows/mergefest.md @@ -10,8 +10,6 @@ permissions: pull-requests: read actions: read engine: copilot -sandbox: - agent: awf tools: bash: - "git fetch" diff --git a/.github/workflows/org-health-report.md b/.github/workflows/org-health-report.md index 6f7c303ec3c..48d8031d93f 100644 --- a/.github/workflows/org-health-report.md +++ b/.github/workflows/org-health-report.md @@ -10,8 +10,6 @@ permissions: pull-requests: read discussions: write engine: copilot -sandbox: - agent: awf tools: github: toolsets: diff --git a/.github/workflows/org-wide-rollout.md b/.github/workflows/org-wide-rollout.md index 2ed41007113..7ac8a3bb7e1 100644 --- a/.github/workflows/org-wide-rollout.md +++ b/.github/workflows/org-wide-rollout.md @@ -39,8 +39,6 @@ permissions: engine: copilot -sandbox: - agent: awf tools: github: toolsets: [repos, issues, pull_requests, search] diff --git a/.github/workflows/pdf-summary.md b/.github/workflows/pdf-summary.md index f4478bf3fbe..0b52604a6c2 100644 --- a/.github/workflows/pdf-summary.md +++ b/.github/workflows/pdf-summary.md @@ -29,8 +29,6 @@ engine: copilot imports: - shared/mcp/markitdown.md -sandbox: - agent: awf tools: cache-memory: true diff --git a/.github/workflows/plan.md b/.github/workflows/plan.md index 30378aa4947..53a3cabbcaf 100644 --- a/.github/workflows/plan.md +++ b/.github/workflows/plan.md @@ -11,8 +11,6 @@ permissions: issues: read pull-requests: read engine: copilot -sandbox: - agent: awf tools: github: toolsets: [default, discussions] @@ -24,7 +22,6 @@ safe-outputs: close-discussion: required-category: "Ideas" timeout-minutes: 10 -strict: true --- # Planning Assistant diff --git a/.github/workflows/poem-bot.md b/.github/workflows/poem-bot.md index d7d5e23a33f..5f19bc31b9c 100644 --- a/.github/workflows/poem-bot.md +++ b/.github/workflows/poem-bot.md @@ -35,8 +35,6 @@ engine: network: {} # Tools configuration -sandbox: - agent: awf tools: github: toolsets: [default] diff --git a/.github/workflows/portfolio-analyst.md b/.github/workflows/portfolio-analyst.md index 3731848bc66..d1f042d09af 100644 --- a/.github/workflows/portfolio-analyst.md +++ b/.github/workflows/portfolio-analyst.md @@ -12,8 +12,6 @@ tracker-id: portfolio-analyst-weekly engine: copilot network: allowed: [python] -sandbox: - agent: awf tools: github: toolsets: [default] @@ -32,7 +30,6 @@ safe-outputs: close-older-discussions: true upload-assets: timeout-minutes: 20 -strict: true imports: - shared/mcp/gh-aw.md - shared/reporting.md diff --git a/.github/workflows/pr-nitpick-reviewer.md b/.github/workflows/pr-nitpick-reviewer.md index 9c0d0af97d3..73c0086eb1f 100644 --- a/.github/workflows/pr-nitpick-reviewer.md +++ b/.github/workflows/pr-nitpick-reviewer.md @@ -7,8 +7,6 @@ permissions: pull-requests: read actions: read engine: copilot -sandbox: - agent: awf tools: cache-memory: true github: @@ -29,7 +27,6 @@ safe-outputs: run-success: "🔍 Nitpicks catalogued! [{workflow_name}]({run_url}) has documented all the tiny details. Perfection awaits! ✅" run-failure: "🔬 Lens cracked! [{workflow_name}]({run_url}) {status}. Some nitpicks remain undetected..." timeout-minutes: 15 -strict: true imports: - shared/reporting.md --- diff --git a/.github/workflows/prompt-clustering-analysis.md b/.github/workflows/prompt-clustering-analysis.md index 5ae02469ea7..ab6d62164ca 100644 --- a/.github/workflows/prompt-clustering-analysis.md +++ b/.github/workflows/prompt-clustering-analysis.md @@ -39,8 +39,6 @@ cache: restore-keys: | prompt-clustering-cache- -sandbox: - agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/python-data-charts.md b/.github/workflows/python-data-charts.md index 24a44a9c708..26f2d1a93fe 100644 --- a/.github/workflows/python-data-charts.md +++ b/.github/workflows/python-data-charts.md @@ -8,8 +8,6 @@ permissions: issues: read pull-requests: read engine: copilot -sandbox: - agent: awf tools: agentic-workflows: edit: @@ -21,7 +19,6 @@ safe-outputs: category: "artifacts" max: 1 timeout-minutes: 15 -strict: true --- # Python Data Visualization Generator diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 4eae8a73f3b..0274cd8d19e 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -2948,8 +2948,6 @@ jobs: Example: ```yaml - sandbox: - agent: awf tools: github: allowed: diff --git a/.github/workflows/q.md b/.github/workflows/q.md index 0cb6a6932ff..f8213660366 100644 --- a/.github/workflows/q.md +++ b/.github/workflows/q.md @@ -16,8 +16,6 @@ engine: copilot imports: - shared/mcp/gh-aw.md - shared/mcp/tavily.md -sandbox: - agent: awf tools: serena: ["go"] github: @@ -183,8 +181,6 @@ If logs show missing tool reports: Example: ```yaml -sandbox: - agent: awf tools: github: allowed: diff --git a/.github/workflows/release.md b/.github/workflows/release.md index 1610a72a971..9decdd24397 100644 --- a/.github/workflows/release.md +++ b/.github/workflows/release.md @@ -25,7 +25,6 @@ tools: bash: - "*" edit: -strict: true safe-outputs: update-release: jobs: diff --git a/.github/workflows/repo-tree-map.md b/.github/workflows/repo-tree-map.md index 81bc153d6b9..7db075d0af7 100644 --- a/.github/workflows/repo-tree-map.md +++ b/.github/workflows/repo-tree-map.md @@ -11,8 +11,6 @@ permissions: engine: copilot -sandbox: - agent: awf tools: edit: bash: @@ -25,7 +23,6 @@ safe-outputs: close-older-discussions: true timeout-minutes: 5 -strict: true imports: - shared/reporting.md --- diff --git a/.github/workflows/repository-quality-improver.md b/.github/workflows/repository-quality-improver.md index ff6c3c25e03..58460bb211d 100644 --- a/.github/workflows/repository-quality-improver.md +++ b/.github/workflows/repository-quality-improver.md @@ -10,8 +10,6 @@ permissions: issues: read pull-requests: read engine: copilot -sandbox: - agent: awf tools: serena: ["go"] edit: diff --git a/.github/workflows/safe-output-health.md b/.github/workflows/safe-output-health.md index f2b6ff0c709..be35f016311 100644 --- a/.github/workflows/safe-output-health.md +++ b/.github/workflows/safe-output-health.md @@ -9,8 +9,6 @@ permissions: pull-requests: read actions: read engine: claude -sandbox: - agent: awf tools: cache-memory: true timeout: 300 diff --git a/.github/workflows/schema-consistency-checker.md b/.github/workflows/schema-consistency-checker.md index 39d360c1881..ef8b83b3ad1 100644 --- a/.github/workflows/schema-consistency-checker.md +++ b/.github/workflows/schema-consistency-checker.md @@ -9,8 +9,6 @@ permissions: issues: read pull-requests: read engine: claude -sandbox: - agent: awf tools: edit: bash: ["*"] @@ -26,7 +24,6 @@ safe-outputs: max: 1 close-older-discussions: true timeout-minutes: 30 -strict: true imports: - shared/reporting.md --- diff --git a/.github/workflows/scout.md b/.github/workflows/scout.md index 98676a764ae..ab9103a68fa 100644 --- a/.github/workflows/scout.md +++ b/.github/workflows/scout.md @@ -24,8 +24,6 @@ imports: - shared/mcp/context7.md - shared/mcp/markitdown.md - shared/jqschema.md -sandbox: - agent: awf tools: edit: cache-memory: true diff --git a/.github/workflows/security-compliance.md b/.github/workflows/security-compliance.md index 05d1584e02e..3869999f71a 100644 --- a/.github/workflows/security-compliance.md +++ b/.github/workflows/security-compliance.md @@ -30,8 +30,6 @@ safe-outputs: max: 100 # 1 epic + vulnerability tasks labels: [security, campaign-tracker] -sandbox: - agent: awf tools: github: toolsets: [repos, search, code_security] diff --git a/.github/workflows/security-fix-pr.md b/.github/workflows/security-fix-pr.md index 6c56d4d4701..ea3c10790cc 100644 --- a/.github/workflows/security-fix-pr.md +++ b/.github/workflows/security-fix-pr.md @@ -15,8 +15,6 @@ permissions: pull-requests: read security-events: read engine: claude -sandbox: - agent: awf tools: github: toolsets: [context, repos, code_security, pull_requests] @@ -29,7 +27,6 @@ safe-outputs: labels: [security, automated-fix] reviewers: copilot timeout-minutes: 20 -strict: true --- # Security Issue Fix Agent diff --git a/.github/workflows/semantic-function-refactor.md b/.github/workflows/semantic-function-refactor.md index 5349927294e..d4d3959fd01 100644 --- a/.github/workflows/semantic-function-refactor.md +++ b/.github/workflows/semantic-function-refactor.md @@ -25,8 +25,6 @@ safe-outputs: labels: [refactoring, code-quality, automated-analysis] max: 1 -sandbox: - agent: awf tools: github: toolsets: [default, issues] diff --git a/.github/workflows/slide-deck-maintainer.md b/.github/workflows/slide-deck-maintainer.md index 58cf39436a6..30bcfe2dddd 100644 --- a/.github/workflows/slide-deck-maintainer.md +++ b/.github/workflows/slide-deck-maintainer.md @@ -18,9 +18,6 @@ permissions: tracker-id: slide-deck-maintainer engine: copilot timeout-minutes: 45 -strict: true -sandbox: - agent: awf tools: cache-memory: true playwright: diff --git a/.github/workflows/smoke-claude.md b/.github/workflows/smoke-claude.md index 74b87c60636..fa50835662f 100644 --- a/.github/workflows/smoke-claude.md +++ b/.github/workflows/smoke-claude.md @@ -24,8 +24,6 @@ network: - defaults - github - playwright -sandbox: - agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/smoke-codex-firewall.md b/.github/workflows/smoke-codex-firewall.md index 676b11cb946..d2153635b98 100644 --- a/.github/workflows/smoke-codex-firewall.md +++ b/.github/workflows/smoke-codex-firewall.md @@ -33,8 +33,6 @@ safe-outputs: run-success: "✅ Firewall validation complete... [{workflow_name}]({run_url}) confirmed network sandboxing is operational. 🛡️" run-failure: "❌ Firewall validation failed... [{workflow_name}]({run_url}) {status}. Network sandboxing may not be working correctly." timeout-minutes: 10 -sandbox: - agent: awf tools: github: bash: diff --git a/.github/workflows/smoke-codex.md b/.github/workflows/smoke-codex.md index f1156776662..d90060fee89 100644 --- a/.github/workflows/smoke-codex.md +++ b/.github/workflows/smoke-codex.md @@ -20,8 +20,6 @@ network: - defaults - github - playwright -sandbox: - agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/smoke-copilot-safe-inputs.md b/.github/workflows/smoke-copilot-safe-inputs.md index f90f432e92e..ddb8e47862e 100644 --- a/.github/workflows/smoke-copilot-safe-inputs.md +++ b/.github/workflows/smoke-copilot-safe-inputs.md @@ -20,8 +20,6 @@ network: - github imports: - shared/gh.md -sandbox: - agent: awf tools: edit: bash: diff --git a/.github/workflows/smoke-detector.md b/.github/workflows/smoke-detector.md index 05e574abd45..205c55bd5a2 100644 --- a/.github/workflows/smoke-detector.md +++ b/.github/workflows/smoke-detector.md @@ -52,8 +52,6 @@ engine: claude imports: - shared/mcp/gh-aw.md - shared/reporting.md -sandbox: - agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/spec-kit-execute.md b/.github/workflows/spec-kit-execute.md index 35c74a871c0..be3433f6f5c 100644 --- a/.github/workflows/spec-kit-execute.md +++ b/.github/workflows/spec-kit-execute.md @@ -22,8 +22,6 @@ safe-outputs: reviewers: copilot draft: false -sandbox: - agent: awf tools: cache-memory: true repo-memory: true diff --git a/.github/workflows/spec-kit-executor.md b/.github/workflows/spec-kit-executor.md index 9fa0e9cc804..fdf82758b2f 100644 --- a/.github/workflows/spec-kit-executor.md +++ b/.github/workflows/spec-kit-executor.md @@ -28,8 +28,6 @@ safe-outputs: reviewers: copilot draft: false -sandbox: - agent: awf tools: cache-memory: true repo-memory: true diff --git a/.github/workflows/speckit-dispatcher.md b/.github/workflows/speckit-dispatcher.md index 5d9f298dd4b..adb251c301b 100644 --- a/.github/workflows/speckit-dispatcher.md +++ b/.github/workflows/speckit-dispatcher.md @@ -18,8 +18,6 @@ strict: true imports: - ../agents/speckit-dispatcher.agent.md -sandbox: - agent: awf tools: github: toolsets: [default] diff --git a/.github/workflows/stale-repo-identifier.md b/.github/workflows/stale-repo-identifier.md index 35976c80ea5..aa73bb95465 100644 --- a/.github/workflows/stale-repo-identifier.md +++ b/.github/workflows/stale-repo-identifier.md @@ -43,8 +43,6 @@ safe-outputs: run-success: "✅ Analysis complete! [{workflow_name}]({run_url}) has finished analyzing stale repositories." run-failure: "⚠️ Analysis interrupted! [{workflow_name}]({run_url}) {status}." -sandbox: - agent: awf tools: github: read-only: true diff --git a/.github/workflows/static-analysis-report.md b/.github/workflows/static-analysis-report.md index 4cc73ea4567..b10af8f50ed 100644 --- a/.github/workflows/static-analysis-report.md +++ b/.github/workflows/static-analysis-report.md @@ -9,8 +9,6 @@ permissions: issues: read pull-requests: read engine: claude -sandbox: - agent: awf tools: github: toolsets: diff --git a/.github/workflows/sub-issue-closer.md b/.github/workflows/sub-issue-closer.md index 9cbcf0b5d11..6c92aec804b 100644 --- a/.github/workflows/sub-issue-closer.md +++ b/.github/workflows/sub-issue-closer.md @@ -12,8 +12,6 @@ strict: true network: allowed: - defaults -sandbox: - agent: awf tools: github: toolsets: diff --git a/.github/workflows/super-linter.md b/.github/workflows/super-linter.md index d03259ba7c5..1268c037c62 100644 --- a/.github/workflows/super-linter.md +++ b/.github/workflows/super-linter.md @@ -16,7 +16,6 @@ safe-outputs: engine: copilot name: Super Linter Report timeout-minutes: 15 -strict: true imports: - shared/reporting.md jobs: @@ -73,8 +72,6 @@ steps: with: name: super-linter-log path: /tmp/gh-aw/ -sandbox: - agent: awf tools: cache-memory: true edit: diff --git a/.github/workflows/technical-doc-writer.md b/.github/workflows/technical-doc-writer.md index e6a7b12aa3f..3ad96a21270 100644 --- a/.github/workflows/technical-doc-writer.md +++ b/.github/workflows/technical-doc-writer.md @@ -59,8 +59,6 @@ steps: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: npm run build -sandbox: - agent: awf tools: cache-memory: true github: @@ -69,7 +67,6 @@ tools: bash: timeout-minutes: 10 -strict: true --- diff --git a/.github/workflows/tidy.md b/.github/workflows/tidy.md index e8bbd50b20d..e69e92ed3f4 100644 --- a/.github/workflows/tidy.md +++ b/.github/workflows/tidy.md @@ -28,8 +28,6 @@ timeout-minutes: 10 network: {} -sandbox: - agent: awf tools: github: toolsets: [default] diff --git a/.github/workflows/typist.md b/.github/workflows/typist.md index 284a1f0da95..5a38c64d4f9 100644 --- a/.github/workflows/typist.md +++ b/.github/workflows/typist.md @@ -22,8 +22,6 @@ safe-outputs: max: 1 close-older-discussions: true -sandbox: - agent: awf tools: serena: ["go"] github: diff --git a/.github/workflows/unbloat-docs.md b/.github/workflows/unbloat-docs.md index 51736bafd49..c7060604b8c 100644 --- a/.github/workflows/unbloat-docs.md +++ b/.github/workflows/unbloat-docs.md @@ -37,8 +37,6 @@ network: - github # Tools configuration -sandbox: - agent: awf tools: cache-memory: true github: diff --git a/.github/workflows/video-analyzer.md b/.github/workflows/video-analyzer.md index a141f0ce9e2..8e94182c247 100644 --- a/.github/workflows/video-analyzer.md +++ b/.github/workflows/video-analyzer.md @@ -18,8 +18,6 @@ engine: copilot imports: - shared/ffmpeg.md -sandbox: - agent: awf tools: bash: diff --git a/.github/workflows/workflow-generator.md b/.github/workflows/workflow-generator.md index b4659c54828..d7527095ca1 100644 --- a/.github/workflows/workflow-generator.md +++ b/.github/workflows/workflow-generator.md @@ -9,8 +9,6 @@ permissions: issues: read pull-requests: read engine: copilot -sandbox: - agent: awf tools: github: toolsets: [default] @@ -22,7 +20,6 @@ safe-outputs: target: "${{ github.event.issue.number }}" assign-to-agent: timeout-minutes: 5 -strict: true --- {{#runtime-import? .github/shared-instructions.md}} From e45c54f342043949bb5c122e1faf8e5426d06785 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Dec 2025 22:35:29 +0000 Subject: [PATCH 5/5] Update tests to reflect AWF being enabled by default Tests now expect AWF sandbox agent to be enabled by default for all supported engines (copilot, claude, codex) even without explicit network configuration. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/aw_info_steps_test.go | 4 ++-- pkg/workflow/compiler_permissions_test.go | 25 +++++++++++------------ 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/pkg/workflow/aw_info_steps_test.go b/pkg/workflow/aw_info_steps_test.go index dddf1c516be..056070f0858 100644 --- a/pkg/workflow/aw_info_steps_test.go +++ b/pkg/workflow/aw_info_steps_test.go @@ -72,8 +72,8 @@ engine: claude This workflow tests that Claude has firewall enabled by default when network is not configured. `, - expectFirewall: "", - description: "Should have empty firewall type when no network is configured (firewall only applies with network restrictions)", + expectFirewall: "squid", + description: "Should have firewall type squid when no network is configured (firewall enabled by default)", }, } diff --git a/pkg/workflow/compiler_permissions_test.go b/pkg/workflow/compiler_permissions_test.go index 25505be5879..484f8763cf9 100644 --- a/pkg/workflow/compiler_permissions_test.go +++ b/pkg/workflow/compiler_permissions_test.go @@ -136,14 +136,14 @@ This is a test workflow without network permissions. t.Fatalf("Failed to read lock file: %v", err) } - // When no network is specified, firewall is NOT enabled (defaults to full access) - // AWF is only enabled when network restrictions are configured - if strings.Contains(string(lockContent), "sudo -E awf") { - t.Error("Should NOT contain AWF wrapper when no network field specified (defaults to full access)") + // AWF is enabled by default for all engines (copilot, claude, codex) even without explicit network config + // This ensures sandbox.agent: awf is the default behavior + if !strings.Contains(string(lockContent), "sudo -E awf") { + t.Error("Should contain AWF wrapper by default for Claude engine") } }) - t.Run("network: defaults should not enable AWF for Claude without firewall config", func(t *testing.T) { + t.Run("network: defaults enables AWF by default for Claude", func(t *testing.T) { testContent := `--- on: push engine: claude @@ -173,14 +173,13 @@ This is a test workflow with explicit defaults network permissions. t.Fatalf("Failed to read lock file: %v", err) } - // network: defaults without explicit firewall config does NOT enable AWF - // (firewall must be explicitly enabled or network.allowed must be specified) - if strings.Contains(string(lockContent), "sudo -E awf") { - t.Error("Should NOT contain AWF wrapper for network: defaults without firewall config") + // AWF is enabled by default for Claude engine with network: defaults + if !strings.Contains(string(lockContent), "sudo -E awf") { + t.Error("Should contain AWF wrapper for Claude engine with network: defaults") } }) - t.Run("network: {} should not enable AWF without firewall config", func(t *testing.T) { + t.Run("network: {} enables AWF by default for Claude", func(t *testing.T) { testContent := `--- on: push engine: claude @@ -210,9 +209,9 @@ This is a test workflow with empty network permissions (deny all). t.Fatalf("Failed to read lock file: %v", err) } - // Empty network config without explicit firewall config does NOT enable AWF - if strings.Contains(string(lockContent), "sudo -E awf") { - t.Error("Should NOT contain AWF wrapper for network: {} without firewall config") + // AWF is enabled by default for Claude engine with network: {} + if !strings.Contains(string(lockContent), "sudo -E awf") { + t.Error("Should contain AWF wrapper for Claude engine with network: {}") } })