mirror of
https://github.com/imjasonh/git-k8s
synced 2026-07-08 23:05:21 +00:00
compile all the things
Signed-off-by: Jason Hall <imjasonh@gmail.com>
This commit is contained in:
parent
464993b785
commit
61cd4e55a1
3 changed files with 1575 additions and 153 deletions
213
.github/workflows/ci-doctor.lock.yml
generated
vendored
213
.github/workflows/ci-doctor.lock.yml
generated
vendored
|
|
@ -26,7 +26,7 @@
|
|||
# either creates a fix PR directly or opens an issue with detailed diagnosis.
|
||||
# Assigns the maintainer only when manual intervention is truly needed.
|
||||
#
|
||||
# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"7e02359f51e6fa411c8ff13e342527f184d2135a7f741655fe8429439e65d776","compiler_version":"v0.50.7"}
|
||||
# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"1302df0c6620280a3d77f0b7b2090bfbc431028291954806b5294bc7df869a85","compiler_version":"v0.50.7"}
|
||||
|
||||
name: "CI Failure Doctor"
|
||||
"on":
|
||||
|
|
@ -68,7 +68,7 @@ jobs:
|
|||
destination: /opt/gh-aw/actions
|
||||
- name: Validate ANTHROPIC_API_KEY secret
|
||||
id: validate-secret
|
||||
run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Anthropic Claude' https://github.github.com/gh-aw/reference/engines/#anthropic-claude
|
||||
run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code
|
||||
env:
|
||||
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
|
||||
- name: Validate context variables
|
||||
|
|
@ -257,7 +257,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
permissions: read-all
|
||||
concurrency:
|
||||
group: "gh-aw-copilot-${{ github.workflow }}"
|
||||
group: "gh-aw-claude-${{ github.workflow }}"
|
||||
env:
|
||||
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
|
||||
GH_AW_ASSETS_ALLOWED_EXTS: ""
|
||||
|
|
@ -331,11 +331,11 @@ jobs:
|
|||
const fs = require('fs');
|
||||
|
||||
const awInfo = {
|
||||
engine_id: "copilot",
|
||||
engine_name: "GitHub Copilot CLI",
|
||||
model: process.env.GH_AW_MODEL_AGENT_COPILOT || "",
|
||||
engine_id: "claude",
|
||||
engine_name: "Claude Code",
|
||||
model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "",
|
||||
version: "",
|
||||
agent_version: "0.0.419",
|
||||
agent_version: "2.1.62",
|
||||
cli_version: "v0.50.7",
|
||||
workflow_name: "CI Failure Doctor",
|
||||
experimental: false,
|
||||
|
|
@ -367,10 +367,15 @@ jobs:
|
|||
|
||||
// Set model as output for reuse in other steps/jobs
|
||||
core.setOutput('model', awInfo.model);
|
||||
- name: Install GitHub Copilot CLI
|
||||
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.419
|
||||
- name: Setup Node.js
|
||||
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
|
||||
with:
|
||||
node-version: '24'
|
||||
package-manager-cache: false
|
||||
- name: Install awf binary
|
||||
run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0
|
||||
- name: Install Claude Code CLI
|
||||
run: npm install -g --silent @anthropic-ai/claude-code@2.1.62
|
||||
- name: Determine automatic lockdown mode for GitHub MCP Server
|
||||
id: determine-automatic-lockdown
|
||||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
|
||||
|
|
@ -819,19 +824,17 @@ jobs:
|
|||
mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}"
|
||||
export DEBUG="*"
|
||||
|
||||
export GH_AW_ENGINE="copilot"
|
||||
export GH_AW_ENGINE="claude"
|
||||
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.6'
|
||||
|
||||
mkdir -p /home/runner/.copilot
|
||||
cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
|
||||
{
|
||||
"mcpServers": {
|
||||
"github": {
|
||||
"type": "stdio",
|
||||
"container": "ghcr.io/github/github-mcp-server:v0.31.0",
|
||||
"env": {
|
||||
"GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN",
|
||||
"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
|
||||
"GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN",
|
||||
"GITHUB_READ_ONLY": "1",
|
||||
"GITHUB_TOOLSETS": "pull_requests,repos,issues"
|
||||
}
|
||||
|
|
@ -840,7 +843,7 @@ jobs:
|
|||
"type": "http",
|
||||
"url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
|
||||
"headers": {
|
||||
"Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
|
||||
"Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
@ -865,30 +868,101 @@ jobs:
|
|||
path: /tmp/gh-aw/aw-prompts
|
||||
- name: Clean git credentials
|
||||
run: bash /opt/gh-aw/actions/clean_git_credentials.sh
|
||||
- name: Execute GitHub Copilot CLI
|
||||
- name: Execute Claude Code CLI
|
||||
id: agentic_execution
|
||||
# Copilot CLI tool arguments (sorted):
|
||||
# Allowed tools (sorted):
|
||||
# - Bash
|
||||
# - BashOutput
|
||||
# - Edit
|
||||
# - Edit(/tmp/gh-aw/cache-memory/*)
|
||||
# - ExitPlanMode
|
||||
# - Glob
|
||||
# - Grep
|
||||
# - KillBash
|
||||
# - LS
|
||||
# - MultiEdit
|
||||
# - MultiEdit(/tmp/gh-aw/cache-memory/*)
|
||||
# - NotebookEdit
|
||||
# - NotebookRead
|
||||
# - Read
|
||||
# - Read(/tmp/gh-aw/cache-memory/*)
|
||||
# - Task
|
||||
# - TodoWrite
|
||||
# - WebFetch
|
||||
# - Write
|
||||
# - Write(/tmp/gh-aw/cache-memory/*)
|
||||
# - mcp__github__download_workflow_run_artifact
|
||||
# - mcp__github__get_code_scanning_alert
|
||||
# - mcp__github__get_commit
|
||||
# - mcp__github__get_dependabot_alert
|
||||
# - mcp__github__get_discussion
|
||||
# - mcp__github__get_discussion_comments
|
||||
# - mcp__github__get_file_contents
|
||||
# - mcp__github__get_job_logs
|
||||
# - mcp__github__get_label
|
||||
# - mcp__github__get_latest_release
|
||||
# - mcp__github__get_me
|
||||
# - mcp__github__get_notification_details
|
||||
# - mcp__github__get_pull_request
|
||||
# - mcp__github__get_pull_request_comments
|
||||
# - mcp__github__get_pull_request_diff
|
||||
# - mcp__github__get_pull_request_files
|
||||
# - mcp__github__get_pull_request_review_comments
|
||||
# - mcp__github__get_pull_request_reviews
|
||||
# - mcp__github__get_pull_request_status
|
||||
# - mcp__github__get_release_by_tag
|
||||
# - mcp__github__get_secret_scanning_alert
|
||||
# - mcp__github__get_tag
|
||||
# - mcp__github__get_workflow_run
|
||||
# - mcp__github__get_workflow_run_logs
|
||||
# - mcp__github__get_workflow_run_usage
|
||||
# - mcp__github__issue_read
|
||||
# - mcp__github__list_branches
|
||||
# - mcp__github__list_code_scanning_alerts
|
||||
# - mcp__github__list_commits
|
||||
# - mcp__github__list_dependabot_alerts
|
||||
# - mcp__github__list_discussion_categories
|
||||
# - mcp__github__list_discussions
|
||||
# - mcp__github__list_issue_types
|
||||
# - mcp__github__list_issues
|
||||
# - mcp__github__list_label
|
||||
# - mcp__github__list_notifications
|
||||
# - mcp__github__list_pull_requests
|
||||
# - mcp__github__list_releases
|
||||
# - mcp__github__list_secret_scanning_alerts
|
||||
# - mcp__github__list_starred_repositories
|
||||
# - mcp__github__list_tags
|
||||
# - mcp__github__list_workflow_jobs
|
||||
# - mcp__github__list_workflow_run_artifacts
|
||||
# - mcp__github__list_workflow_runs
|
||||
# - mcp__github__list_workflows
|
||||
# - mcp__github__pull_request_read
|
||||
# - mcp__github__search_code
|
||||
# - mcp__github__search_issues
|
||||
# - mcp__github__search_orgs
|
||||
# - mcp__github__search_pull_requests
|
||||
# - mcp__github__search_repositories
|
||||
# - mcp__github__search_users
|
||||
timeout-minutes: 20
|
||||
run: |
|
||||
set -o pipefail
|
||||
# shellcheck disable=SC1003
|
||||
sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
|
||||
-- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
|
||||
sudo -E awf --tty --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
|
||||
-- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools '\''Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,WebFetch,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users'\'' --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
|
||||
env:
|
||||
COPILOT_AGENT_RUNNER_TYPE: STANDALONE
|
||||
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
|
||||
GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
|
||||
GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }}
|
||||
BASH_DEFAULT_TIMEOUT_MS: 60000
|
||||
BASH_MAX_TIMEOUT_MS: 60000
|
||||
DISABLE_BUG_COMMAND: 1
|
||||
DISABLE_ERROR_REPORTING: 1
|
||||
DISABLE_TELEMETRY: 1
|
||||
GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json
|
||||
GH_AW_MODEL_AGENT_CLAUDE: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || '' }}
|
||||
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
|
||||
GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
|
||||
GITHUB_API_URL: ${{ github.api_url }}
|
||||
GITHUB_HEAD_REF: ${{ github.head_ref }}
|
||||
GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
|
||||
GITHUB_REF_NAME: ${{ github.ref_name }}
|
||||
GITHUB_SERVER_URL: ${{ github.server_url }}
|
||||
GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
|
||||
GITHUB_WORKSPACE: ${{ github.workspace }}
|
||||
XDG_CONFIG_HOME: /home/runner
|
||||
MCP_TIMEOUT: 120000
|
||||
MCP_TOOL_TIMEOUT: 60000
|
||||
- name: Configure Git credentials
|
||||
env:
|
||||
REPO_NAME: ${{ github.repository }}
|
||||
|
|
@ -901,23 +975,6 @@ jobs:
|
|||
SERVER_URL_STRIPPED="${SERVER_URL#https://}"
|
||||
git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
|
||||
echo "Git configured with standard GitHub Actions identity"
|
||||
- name: Copy Copilot session state files to logs
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
run: |
|
||||
# Copy Copilot session state files to logs folder for artifact collection
|
||||
# This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
|
||||
SESSION_STATE_DIR="$HOME/.copilot/session-state"
|
||||
LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
|
||||
|
||||
if [ -d "$SESSION_STATE_DIR" ]; then
|
||||
echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
|
||||
mkdir -p "$LOGS_DIR"
|
||||
cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null || true
|
||||
echo "Session state files copied successfully"
|
||||
else
|
||||
echo "No session-state directory found at $SESSION_STATE_DIR"
|
||||
fi
|
||||
- name: Stop MCP Gateway
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
|
|
@ -955,7 +1012,7 @@ jobs:
|
|||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
|
||||
env:
|
||||
GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
|
||||
GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
|
||||
GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
|
||||
GITHUB_SERVER_URL: ${{ github.server_url }}
|
||||
GITHUB_API_URL: ${{ github.api_url }}
|
||||
with:
|
||||
|
|
@ -971,24 +1028,16 @@ jobs:
|
|||
name: agent-output
|
||||
path: ${{ env.GH_AW_AGENT_OUTPUT }}
|
||||
if-no-files-found: warn
|
||||
- name: Upload engine output files
|
||||
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
|
||||
with:
|
||||
name: agent_outputs
|
||||
path: |
|
||||
/tmp/gh-aw/sandbox/agent/logs/
|
||||
/tmp/gh-aw/redacted-urls.log
|
||||
if-no-files-found: ignore
|
||||
- name: Parse agent logs for step summary
|
||||
if: always()
|
||||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
|
||||
env:
|
||||
GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/
|
||||
GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log
|
||||
with:
|
||||
script: |
|
||||
const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
|
||||
setupGlobals(core, github, context, exec, io);
|
||||
const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs');
|
||||
const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs');
|
||||
await main();
|
||||
- name: Parse MCP Gateway logs for step summary
|
||||
if: always()
|
||||
|
|
@ -1085,35 +1134,45 @@ jobs:
|
|||
run: |
|
||||
mkdir -p /tmp/gh-aw/threat-detection
|
||||
touch /tmp/gh-aw/threat-detection/detection.log
|
||||
- name: Execute GitHub Copilot CLI
|
||||
- name: Execute Claude Code CLI
|
||||
if: always() && steps.detection_guard.outputs.run_detection == 'true'
|
||||
id: detection_agentic_execution
|
||||
# Copilot CLI tool arguments (sorted):
|
||||
# --allow-tool shell(cat)
|
||||
# --allow-tool shell(grep)
|
||||
# --allow-tool shell(head)
|
||||
# --allow-tool shell(jq)
|
||||
# --allow-tool shell(ls)
|
||||
# --allow-tool shell(tail)
|
||||
# --allow-tool shell(wc)
|
||||
# Allowed tools (sorted):
|
||||
# - Bash(cat)
|
||||
# - Bash(grep)
|
||||
# - Bash(head)
|
||||
# - Bash(jq)
|
||||
# - Bash(ls)
|
||||
# - Bash(tail)
|
||||
# - Bash(wc)
|
||||
# - BashOutput
|
||||
# - ExitPlanMode
|
||||
# - Glob
|
||||
# - Grep
|
||||
# - KillBash
|
||||
# - LS
|
||||
# - NotebookRead
|
||||
# - Read
|
||||
# - Task
|
||||
# - TodoWrite
|
||||
timeout-minutes: 20
|
||||
run: |
|
||||
set -o pipefail
|
||||
# shellcheck disable=SC1003
|
||||
sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
|
||||
-- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(wc)'\'' --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
|
||||
sudo -E awf --tty --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
|
||||
-- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && claude --print --disable-slash-commands --no-chrome --allowed-tools '\''Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite'\'' --debug-file /tmp/gh-aw/threat-detection/detection.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_CLAUDE:+ --model "$GH_AW_MODEL_DETECTION_CLAUDE"}' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
|
||||
env:
|
||||
COPILOT_AGENT_RUNNER_TYPE: STANDALONE
|
||||
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
|
||||
GH_AW_MODEL_DETECTION_COPILOT: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }}
|
||||
BASH_DEFAULT_TIMEOUT_MS: 60000
|
||||
BASH_MAX_TIMEOUT_MS: 60000
|
||||
DISABLE_BUG_COMMAND: 1
|
||||
DISABLE_ERROR_REPORTING: 1
|
||||
DISABLE_TELEMETRY: 1
|
||||
GH_AW_MODEL_DETECTION_CLAUDE: ${{ vars.GH_AW_MODEL_DETECTION_CLAUDE || '' }}
|
||||
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
|
||||
GITHUB_API_URL: ${{ github.api_url }}
|
||||
GITHUB_HEAD_REF: ${{ github.head_ref }}
|
||||
GITHUB_REF_NAME: ${{ github.ref_name }}
|
||||
GITHUB_SERVER_URL: ${{ github.server_url }}
|
||||
GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
|
||||
GITHUB_WORKSPACE: ${{ github.workspace }}
|
||||
XDG_CONFIG_HOME: /home/runner
|
||||
MCP_TIMEOUT: 120000
|
||||
MCP_TOOL_TIMEOUT: 60000
|
||||
- name: Parse threat detection results
|
||||
id: parse_detection_results
|
||||
if: always() && steps.detection_guard.outputs.run_detection == 'true'
|
||||
|
|
@ -1302,7 +1361,7 @@ jobs:
|
|||
pull-requests: write
|
||||
timeout-minutes: 15
|
||||
env:
|
||||
GH_AW_ENGINE_ID: "copilot"
|
||||
GH_AW_ENGINE_ID: "claude"
|
||||
GH_AW_WORKFLOW_ID: "ci-doctor"
|
||||
GH_AW_WORKFLOW_NAME: "CI Failure Doctor"
|
||||
outputs:
|
||||
|
|
@ -1361,7 +1420,7 @@ jobs:
|
|||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
|
||||
env:
|
||||
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
|
||||
GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
|
||||
GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
|
||||
GITHUB_SERVER_URL: ${{ github.server_url }}
|
||||
GITHUB_API_URL: ${{ github.api_url }}
|
||||
GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"create_issue\":{\"assignees\":[\"imjasonh\"],\"labels\":[\"automation\",\"ci-failure\"],\"max\":1,\"title_prefix\":\"[CI Fix] \"},\"create_pull_request\":{\"draft\":false,\"labels\":[\"automation\",\"ci-failure\"],\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[CI Fix] \"},\"missing_data\":{},\"missing_tool\":{},\"push_to_pull_request_branch\":{\"if_no_changes\":\"warn\",\"max_patch_size\":1024}}"
|
||||
|
|
|
|||
207
.github/workflows/code-review.lock.yml
generated
vendored
207
.github/workflows/code-review.lock.yml
generated
vendored
|
|
@ -27,7 +27,7 @@
|
|||
# pushes minor fixes (formatting, linting) directly. Assigns the maintainer
|
||||
# only when human judgment is genuinely needed.
|
||||
#
|
||||
# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"18ec815df5d5897d21d7ba19dae442639f83c3aef1984fc3de7b79b51ecff78c","compiler_version":"v0.50.7"}
|
||||
# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"007ad9202bdb3d170000a59f0c090c87226ca3ae38058806d15d02ca9d029668","compiler_version":"v0.50.7"}
|
||||
|
||||
name: "Automated Code Reviewer"
|
||||
"on":
|
||||
|
|
@ -66,7 +66,7 @@ jobs:
|
|||
destination: /opt/gh-aw/actions
|
||||
- name: Validate ANTHROPIC_API_KEY secret
|
||||
id: validate-secret
|
||||
run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Anthropic Claude' https://github.github.com/gh-aw/reference/engines/#anthropic-claude
|
||||
run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code
|
||||
env:
|
||||
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
|
||||
- name: Validate context variables
|
||||
|
|
@ -299,11 +299,11 @@ jobs:
|
|||
const fs = require('fs');
|
||||
|
||||
const awInfo = {
|
||||
engine_id: "copilot",
|
||||
engine_name: "GitHub Copilot CLI",
|
||||
model: process.env.GH_AW_MODEL_AGENT_COPILOT || "",
|
||||
engine_id: "claude",
|
||||
engine_name: "Claude Code",
|
||||
model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "",
|
||||
version: "",
|
||||
agent_version: "0.0.419",
|
||||
agent_version: "2.1.62",
|
||||
cli_version: "v0.50.7",
|
||||
workflow_name: "Automated Code Reviewer",
|
||||
experimental: false,
|
||||
|
|
@ -335,10 +335,15 @@ jobs:
|
|||
|
||||
// Set model as output for reuse in other steps/jobs
|
||||
core.setOutput('model', awInfo.model);
|
||||
- name: Install GitHub Copilot CLI
|
||||
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.419
|
||||
- name: Setup Node.js
|
||||
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
|
||||
with:
|
||||
node-version: '24'
|
||||
package-manager-cache: false
|
||||
- name: Install awf binary
|
||||
run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0
|
||||
- name: Install Claude Code CLI
|
||||
run: npm install -g --silent @anthropic-ai/claude-code@2.1.62
|
||||
- name: Validate lockdown mode requirements
|
||||
id: validate-lockdown-requirements
|
||||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
|
||||
|
|
@ -760,19 +765,17 @@ jobs:
|
|||
mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}"
|
||||
export DEBUG="*"
|
||||
|
||||
export GH_AW_ENGINE="copilot"
|
||||
export GH_AW_ENGINE="claude"
|
||||
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.6'
|
||||
|
||||
mkdir -p /home/runner/.copilot
|
||||
cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
|
||||
{
|
||||
"mcpServers": {
|
||||
"github": {
|
||||
"type": "stdio",
|
||||
"container": "ghcr.io/github/github-mcp-server:v0.31.0",
|
||||
"env": {
|
||||
"GITHUB_LOCKDOWN_MODE": "1",
|
||||
"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
|
||||
"GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN",
|
||||
"GITHUB_READ_ONLY": "1",
|
||||
"GITHUB_TOOLSETS": "pull_requests,repos"
|
||||
}
|
||||
|
|
@ -781,7 +784,7 @@ jobs:
|
|||
"type": "http",
|
||||
"url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
|
||||
"headers": {
|
||||
"Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
|
||||
"Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
@ -806,30 +809,97 @@ jobs:
|
|||
path: /tmp/gh-aw/aw-prompts
|
||||
- name: Clean git credentials
|
||||
run: bash /opt/gh-aw/actions/clean_git_credentials.sh
|
||||
- name: Execute GitHub Copilot CLI
|
||||
- name: Execute Claude Code CLI
|
||||
id: agentic_execution
|
||||
# Copilot CLI tool arguments (sorted):
|
||||
# Allowed tools (sorted):
|
||||
# - Bash
|
||||
# - BashOutput
|
||||
# - Edit
|
||||
# - ExitPlanMode
|
||||
# - Glob
|
||||
# - Grep
|
||||
# - KillBash
|
||||
# - LS
|
||||
# - MultiEdit
|
||||
# - NotebookEdit
|
||||
# - NotebookRead
|
||||
# - Read
|
||||
# - Task
|
||||
# - TodoWrite
|
||||
# - WebFetch
|
||||
# - Write
|
||||
# - mcp__github__download_workflow_run_artifact
|
||||
# - mcp__github__get_code_scanning_alert
|
||||
# - mcp__github__get_commit
|
||||
# - mcp__github__get_dependabot_alert
|
||||
# - mcp__github__get_discussion
|
||||
# - mcp__github__get_discussion_comments
|
||||
# - mcp__github__get_file_contents
|
||||
# - mcp__github__get_job_logs
|
||||
# - mcp__github__get_label
|
||||
# - mcp__github__get_latest_release
|
||||
# - mcp__github__get_me
|
||||
# - mcp__github__get_notification_details
|
||||
# - mcp__github__get_pull_request
|
||||
# - mcp__github__get_pull_request_comments
|
||||
# - mcp__github__get_pull_request_diff
|
||||
# - mcp__github__get_pull_request_files
|
||||
# - mcp__github__get_pull_request_review_comments
|
||||
# - mcp__github__get_pull_request_reviews
|
||||
# - mcp__github__get_pull_request_status
|
||||
# - mcp__github__get_release_by_tag
|
||||
# - mcp__github__get_secret_scanning_alert
|
||||
# - mcp__github__get_tag
|
||||
# - mcp__github__get_workflow_run
|
||||
# - mcp__github__get_workflow_run_logs
|
||||
# - mcp__github__get_workflow_run_usage
|
||||
# - mcp__github__issue_read
|
||||
# - mcp__github__list_branches
|
||||
# - mcp__github__list_code_scanning_alerts
|
||||
# - mcp__github__list_commits
|
||||
# - mcp__github__list_dependabot_alerts
|
||||
# - mcp__github__list_discussion_categories
|
||||
# - mcp__github__list_discussions
|
||||
# - mcp__github__list_issue_types
|
||||
# - mcp__github__list_issues
|
||||
# - mcp__github__list_label
|
||||
# - mcp__github__list_notifications
|
||||
# - mcp__github__list_pull_requests
|
||||
# - mcp__github__list_releases
|
||||
# - mcp__github__list_secret_scanning_alerts
|
||||
# - mcp__github__list_starred_repositories
|
||||
# - mcp__github__list_tags
|
||||
# - mcp__github__list_workflow_jobs
|
||||
# - mcp__github__list_workflow_run_artifacts
|
||||
# - mcp__github__list_workflow_runs
|
||||
# - mcp__github__list_workflows
|
||||
# - mcp__github__pull_request_read
|
||||
# - mcp__github__search_code
|
||||
# - mcp__github__search_issues
|
||||
# - mcp__github__search_orgs
|
||||
# - mcp__github__search_pull_requests
|
||||
# - mcp__github__search_repositories
|
||||
# - mcp__github__search_users
|
||||
timeout-minutes: 15
|
||||
run: |
|
||||
set -o pipefail
|
||||
# shellcheck disable=SC1003
|
||||
sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
|
||||
-- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
|
||||
sudo -E awf --tty --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
|
||||
-- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools Bash,BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,WebFetch,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
|
||||
env:
|
||||
COPILOT_AGENT_RUNNER_TYPE: STANDALONE
|
||||
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
|
||||
GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
|
||||
GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }}
|
||||
BASH_DEFAULT_TIMEOUT_MS: 60000
|
||||
BASH_MAX_TIMEOUT_MS: 60000
|
||||
DISABLE_BUG_COMMAND: 1
|
||||
DISABLE_ERROR_REPORTING: 1
|
||||
DISABLE_TELEMETRY: 1
|
||||
GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json
|
||||
GH_AW_MODEL_AGENT_CLAUDE: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || '' }}
|
||||
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
|
||||
GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
|
||||
GITHUB_API_URL: ${{ github.api_url }}
|
||||
GITHUB_HEAD_REF: ${{ github.head_ref }}
|
||||
GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
|
||||
GITHUB_REF_NAME: ${{ github.ref_name }}
|
||||
GITHUB_SERVER_URL: ${{ github.server_url }}
|
||||
GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
|
||||
GITHUB_WORKSPACE: ${{ github.workspace }}
|
||||
XDG_CONFIG_HOME: /home/runner
|
||||
MCP_TIMEOUT: 120000
|
||||
MCP_TOOL_TIMEOUT: 60000
|
||||
- name: Configure Git credentials
|
||||
env:
|
||||
REPO_NAME: ${{ github.repository }}
|
||||
|
|
@ -842,23 +912,6 @@ jobs:
|
|||
SERVER_URL_STRIPPED="${SERVER_URL#https://}"
|
||||
git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
|
||||
echo "Git configured with standard GitHub Actions identity"
|
||||
- name: Copy Copilot session state files to logs
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
run: |
|
||||
# Copy Copilot session state files to logs folder for artifact collection
|
||||
# This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
|
||||
SESSION_STATE_DIR="$HOME/.copilot/session-state"
|
||||
LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
|
||||
|
||||
if [ -d "$SESSION_STATE_DIR" ]; then
|
||||
echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
|
||||
mkdir -p "$LOGS_DIR"
|
||||
cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null || true
|
||||
echo "Session state files copied successfully"
|
||||
else
|
||||
echo "No session-state directory found at $SESSION_STATE_DIR"
|
||||
fi
|
||||
- name: Stop MCP Gateway
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
|
|
@ -896,7 +949,7 @@ jobs:
|
|||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
|
||||
env:
|
||||
GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
|
||||
GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
|
||||
GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
|
||||
GITHUB_SERVER_URL: ${{ github.server_url }}
|
||||
GITHUB_API_URL: ${{ github.api_url }}
|
||||
with:
|
||||
|
|
@ -912,24 +965,16 @@ jobs:
|
|||
name: agent-output
|
||||
path: ${{ env.GH_AW_AGENT_OUTPUT }}
|
||||
if-no-files-found: warn
|
||||
- name: Upload engine output files
|
||||
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
|
||||
with:
|
||||
name: agent_outputs
|
||||
path: |
|
||||
/tmp/gh-aw/sandbox/agent/logs/
|
||||
/tmp/gh-aw/redacted-urls.log
|
||||
if-no-files-found: ignore
|
||||
- name: Parse agent logs for step summary
|
||||
if: always()
|
||||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
|
||||
env:
|
||||
GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/
|
||||
GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log
|
||||
with:
|
||||
script: |
|
||||
const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
|
||||
setupGlobals(core, github, context, exec, io);
|
||||
const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs');
|
||||
const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs');
|
||||
await main();
|
||||
- name: Parse MCP Gateway logs for step summary
|
||||
if: always()
|
||||
|
|
@ -1020,35 +1065,45 @@ jobs:
|
|||
run: |
|
||||
mkdir -p /tmp/gh-aw/threat-detection
|
||||
touch /tmp/gh-aw/threat-detection/detection.log
|
||||
- name: Execute GitHub Copilot CLI
|
||||
- name: Execute Claude Code CLI
|
||||
if: always() && steps.detection_guard.outputs.run_detection == 'true'
|
||||
id: detection_agentic_execution
|
||||
# Copilot CLI tool arguments (sorted):
|
||||
# --allow-tool shell(cat)
|
||||
# --allow-tool shell(grep)
|
||||
# --allow-tool shell(head)
|
||||
# --allow-tool shell(jq)
|
||||
# --allow-tool shell(ls)
|
||||
# --allow-tool shell(tail)
|
||||
# --allow-tool shell(wc)
|
||||
# Allowed tools (sorted):
|
||||
# - Bash(cat)
|
||||
# - Bash(grep)
|
||||
# - Bash(head)
|
||||
# - Bash(jq)
|
||||
# - Bash(ls)
|
||||
# - Bash(tail)
|
||||
# - Bash(wc)
|
||||
# - BashOutput
|
||||
# - ExitPlanMode
|
||||
# - Glob
|
||||
# - Grep
|
||||
# - KillBash
|
||||
# - LS
|
||||
# - NotebookRead
|
||||
# - Read
|
||||
# - Task
|
||||
# - TodoWrite
|
||||
timeout-minutes: 20
|
||||
run: |
|
||||
set -o pipefail
|
||||
# shellcheck disable=SC1003
|
||||
sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
|
||||
-- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(wc)'\'' --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
|
||||
sudo -E awf --tty --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
|
||||
-- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && claude --print --disable-slash-commands --no-chrome --allowed-tools '\''Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite'\'' --debug-file /tmp/gh-aw/threat-detection/detection.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_CLAUDE:+ --model "$GH_AW_MODEL_DETECTION_CLAUDE"}' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
|
||||
env:
|
||||
COPILOT_AGENT_RUNNER_TYPE: STANDALONE
|
||||
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
|
||||
GH_AW_MODEL_DETECTION_COPILOT: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }}
|
||||
BASH_DEFAULT_TIMEOUT_MS: 60000
|
||||
BASH_MAX_TIMEOUT_MS: 60000
|
||||
DISABLE_BUG_COMMAND: 1
|
||||
DISABLE_ERROR_REPORTING: 1
|
||||
DISABLE_TELEMETRY: 1
|
||||
GH_AW_MODEL_DETECTION_CLAUDE: ${{ vars.GH_AW_MODEL_DETECTION_CLAUDE || '' }}
|
||||
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
|
||||
GITHUB_API_URL: ${{ github.api_url }}
|
||||
GITHUB_HEAD_REF: ${{ github.head_ref }}
|
||||
GITHUB_REF_NAME: ${{ github.ref_name }}
|
||||
GITHUB_SERVER_URL: ${{ github.server_url }}
|
||||
GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
|
||||
GITHUB_WORKSPACE: ${{ github.workspace }}
|
||||
XDG_CONFIG_HOME: /home/runner
|
||||
MCP_TIMEOUT: 120000
|
||||
MCP_TOOL_TIMEOUT: 60000
|
||||
- name: Parse threat detection results
|
||||
id: parse_detection_results
|
||||
if: always() && steps.detection_guard.outputs.run_detection == 'true'
|
||||
|
|
@ -1223,7 +1278,7 @@ jobs:
|
|||
pull-requests: write
|
||||
timeout-minutes: 15
|
||||
env:
|
||||
GH_AW_ENGINE_ID: "copilot"
|
||||
GH_AW_ENGINE_ID: "claude"
|
||||
GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e Reviewed by [{workflow_name}]({run_url})\",\"runStarted\":\"[{workflow_name}]({run_url}) is reviewing this pull request...\",\"runSuccess\":\"[{workflow_name}]({run_url}) has completed the review.\",\"runFailure\":\"[{workflow_name}]({run_url}) encountered an error ({status}).\"}"
|
||||
GH_AW_WORKFLOW_ID: "code-review"
|
||||
GH_AW_WORKFLOW_NAME: "Automated Code Reviewer"
|
||||
|
|
@ -1283,7 +1338,7 @@ jobs:
|
|||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
|
||||
env:
|
||||
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
|
||||
GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
|
||||
GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
|
||||
GITHUB_SERVER_URL: ${{ github.server_url }}
|
||||
GITHUB_API_URL: ${{ github.api_url }}
|
||||
GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"create_pull_request_review_comment\":{\"max\":10,\"side\":\"RIGHT\"},\"missing_data\":{},\"missing_tool\":{},\"push_to_pull_request_branch\":{\"if_no_changes\":\"warn\",\"max_patch_size\":1024},\"submit_pull_request_review\":{\"max\":1}}"
|
||||
|
|
|
|||
1308
.github/workflows/dependency-update.lock.yml
generated
vendored
Normal file
1308
.github/workflows/dependency-update.lock.yml
generated
vendored
Normal file
File diff suppressed because it is too large
Load diff
Loading…
Add table
Add a link
Reference in a new issue