Merge branch 'main' into p--add-custom-header

Author: kevinbackhouse

.github/workflows/ci.yml

@@ -35,8 +35,7 @@ jobs:
 
     - name: Run static analysis
       run: |
-        # hatch fmt --check
-        echo linter errors will be fixed in a separate PR
+        hatch fmt --linter --check
 
     - name: Run tests
       run: hatch test --python ${{ matrix.python-version }} --cover --randomize --parallel --retries 2 --retry-delay 1

.github/workflows/smoketest.yaml

@@ -20,6 +20,7 @@ jobs:
     if: github.event.issue.pull_request  # Make sure the comment is on a PR
     outputs:
       allowed: ${{ steps.branch-deploy.outputs.continue }}
+      sha: ${{ steps.branch-deploy.outputs.sha }}
     steps:
       - name: branch-deploy
         id: branch-deploy
@@ -48,9 +49,11 @@ jobs:
       - name: Checkout the PR
         env:
           PR_NUMBER: ${{ github.event.issue.number }}
+          REF: ${{ needs.permission-check.outputs.sha }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           gh pr checkout $PR_NUMBER
+          git checkout $REF
 
       - name: Setup Python venv
         run: |

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 GitHub
+Copyright GitHub, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,11 +1,9 @@
-# Seclab Taskflow Agent
+# GitHub Security Lab Taskflow Agent
 
 The Security Lab Taskflow Agent is an MCP enabled multi-Agent framework.
 
 The Taskflow Agent is built on top of the [OpenAI Agents SDK](https://openai.github.io/openai-agents-python/).
 
-While the Taskflow Agent does not integrate into the GitHub Dotcom Copilot UX, it does operate using the Copilot API (CAPI) as its backend, similar to Copilot IDE extensions.
-
 ## Core Concepts
 
 The Taskflow Agent leverages a GitHub Workflow-esque YAML based grammar to perform a series of tasks using a set of Agents.
@@ -16,7 +14,7 @@ Agents are defined through [personalities](examples/personalities/), that receiv
 
 Agents can cooperate to complete sequences of tasks through so-called [taskflows](doc/GRAMMAR.md).
 
-You can find a detailed overview of the taskflow grammar [here](taskflows/GRAMMAR.md) and example taskflows [here](examples/taskflows/).
+You can find a detailed overview of the taskflow grammar [here](doc/GRAMMAR.md) and example taskflows [here](examples/taskflows/).
 
 ## Use Cases and Examples
 
@@ -36,17 +34,26 @@ Python >= 3.9 or Docker
 
 ## Configuration
 
-Provide a GitHub token for an account that is entitled to use [GitHub Models](https://models.github.ai) via the `AI_API_TOKEN` environment variable. Further configuration is use case dependent, i.e. pending which MCP servers you'd like to use in your taskflows.
+Provide a GitHub token for an account that is entitled to use [GitHub Models](https://models.github.ai) via the `AI_API_TOKEN` environment variable. Further configuration is use case dependent, i.e. pending which MCP servers you'd like to use in your taskflows. In a terminal, you can add `AI_API_TOKEN` to the environment like this:
+
+```sh
+export AI_API_TOKEN=<your_github_token>
+```
+
+Or, if you are using GitHub Codespaces, then you can [add a Codespace secret](https://github.com/settings/codespaces/secrets/new) so that `AI_API_TOKEN` is automatically available when working in a Codespace.
+
+Many of the MCP servers in the [seclab-taskflow](https://github.com/GitHubSecurityLab/seclab-taskflows) repo also need an environment variable named `GH_TOKEN` for accessing the GitHub API. You can use two separate PATs if you want, or you can use one PAT for both purposes, like this:
+
+```sh
+export GH_TOKEN=$AI_API_TOKEN
+```
 
-You can set persisting environment variables via an `.env` file in the project root.
+We do not recommend storing secrets on disk, but you can persist non-sensitive environment variables by adding a `.env` file in the project root.
 
 Example:
 
 ```sh
-# Tokens
-AI_API_TOKEN=<your_github_token>
 # MCP configs
-GH_TOKEN=<your_github_token>
 CODEQL_DBS_BASE_PATH="/app/my_data/codeql_databases"
 AI_API_ENDPOINT="https://models.github.ai/inference"
 ```
@@ -319,7 +326,7 @@ seclab-taskflow-agent:
 
 taskflow:
   - task:
-      # taskflows can optionally choose any of the support CAPI models for a task
+      # taskflows can optionally choose any of the models supported by your API for a task
       model: gpt-4.1
       # taskflows can optionally limit the max allowed number of Agent task loop
       # iterations to complete a task, this defaults to 50 when not provided
@@ -385,7 +392,7 @@ taskflow:
 
 Taskflows support [Agent handoffs](https://openai.github.io/openai-agents-python/handoffs/). Handoffs are useful for implementing triage patterns where the primary Agent can decide to handoff a task to any subsequent Agents in the `Agents` list.
 
-See the [taskflow examples](taskflows/examples) for other useful Taskflow patterns such as repeatable and asynchronous templated prompts.
+See the [taskflow examples](examples/taskflows) for other useful Taskflow patterns such as repeatable and asynchronous templated prompts.
 
 
 You can run a taskflow from the command line like this:

pyproject.toml

@@ -29,7 +29,7 @@ dependencies = [
   "annotated-types==0.7.0",
   "anyio==4.9.0",
   "attrs==25.3.0",
-  "Authlib==1.6.5",
+  "Authlib==1.6.6",
   "certifi==2025.6.15",
   "cffi==2.0.0",
   "charset-normalizer==3.4.2",
@@ -104,7 +104,7 @@ dependencies = [
   "typing-inspection==0.4.1",
   "typing_extensions==4.14.1",
   "ujson==5.10.0",
-  "urllib3==2.6.0",
+  "urllib3==2.6.3",
   "uvicorn==0.35.0",
   "zipp==3.23.0",
 ]
@@ -145,3 +145,92 @@ exclude_lines = [
   "if __name__ == .__main__.:",
   "if TYPE_CHECKING:",
 ]
+
+[tool.ruff]
+# Set target version to 3.10 to support match statements
+target-version = "py310"
+
+[tool.ruff.lint]
+# Suppress all current linter errors to establish a baseline
+ignore = [
+  "A001",     # Variable shadows built-in
+  "A002",     # Argument shadows built-in
+  "A004",     # Import shadows built-in
+  "ARG001",   # Unused function argument
+  "B006",     # Mutable default argument
+  "B007",     # Unused loop control variable
+  "B008",     # Function call in argument defaults
+  "B023",     # Function uses loop variable
+  "B904",     # raise-without-from-inside-except
+  "BLE001",   # Blind except
+  "C405",     # Unnecessary literal set
+  "C416",     # Unnecessary comprehension
+  "E721",     # Type comparison using ==
+  "E722",     # Bare except
+  "E741",     # Ambiguous variable name
+  "EM101",    # Exception string literal
+  "EM102",    # Exception f-string
+  "F401",     # Unused import
+  "F541",     # f-string without placeholders
+  "F811",     # Redefinition of unused name
+  "F821",     # Undefined name
+  "F841",     # Unused variable
+  "FA100",    # Missing from __future__ import annotations
+  "FA102",    # Missing from __future__ import annotations in stub
+  "FBT001",   # Boolean positional arg in function definition
+  "FBT002",   # Boolean default value in function definition
+  "FURB188",  # Prefer removeprefix over conditional slice
+  "G004",     # Logging with f-string
+  "I001",     # Import block unsorted or unformatted
+  "INP001",   # Implicit namespace package
+  "LOG015",   # root logger usage
+  "N801",     # Class name should use CapWords convention
+  "N802",     # Function name should be lowercase
+  "N806",     # Variable in function should be lowercase
+  "N818",     # Exception name should end with Error
+  "PERF102",  # Use keys() or values() instead of items()
+  "PERF401",  # Use list comprehension
+  "PIE790",   # Unnecessary pass statement
+  "PLC0415",  # Import should be at top of file
+  "PLC1802",  # Use of len(x) == 0
+  "PLR2004",  # Magic value used in comparison
+  "PLW0602",  # Global variable not assigned
+  "PLW0603",  # Using global statement
+  "PLW1508",  # Invalid envvar default
+  "PLW2901",  # Outer loop variable overwritten
+  "PT011",    # pytest.raises too broad
+  "PYI041",   # Use float instead of int | float
+  "RET503",   # Missing explicit return
+  "RET504",   # Unnecessary assignment before return
+  "RET505",   # Unnecessary else after return
+  "RET506",   # Unnecessary else after raise
+  "RUF005",   # Unpack instead of concatenation
+  "RUF010",   # Use explicit conversion flag
+  "RUF015",   # Prefer next() over single element slice
+  "RUF059",   # Use of private function/attribute
+  "RUF100",   # Unused noqa directive
+  "S108",     # Hardcoded temp file/directory
+  "S607",     # Starting process with partial path
+  "SIM102",   # Use single if statement
+  "SIM115",   # Use context handler for file
+  "SIM210",   # Use ternary operator
+  "SLF001",   # Private member access
+  "T201",     # print found
+  "TID252",   # Relative imports from parent modules
+  "TRY003",   # Raise vanilla args
+  "TRY004",   # Prefer TypeError for wrong type
+  "TRY300",   # Consider moving statement to else
+  "TRY301",   # Abstract raise to inner function
+  "TRY400",   # Use logging.exception instead of logging.error
+  "UP004",    # Use X | Y for union types
+  "UP006",    # Use X | Y for union types in isinstance
+  "UP009",    # UTF-8 encoding declaration
+  "UP015",    # Unnecessary mode argument
+  "UP020",    # Use builtin open
+  "UP024",    # Replace aliased errors with OSError
+  "UP032",    # Use f-string
+  "UP035",    # Import from collections.abc
+  "UP045",    # Use X | None for type annotations
+  "W291",     # Trailing whitespace
+  "W293",     # Blank line contains whitespace
+]

release_tools/copy_files.py

@@ -6,6 +6,7 @@
 import sys
 import subprocess
 
+
 def read_file_list(list_path):
     """
     Reads a file containing file paths, ignoring empty lines and lines starting with '#'.
@@ -15,6 +16,7 @@ def read_file_list(list_path):
         lines = [line.strip() for line in f]
     return [line for line in lines if line and not line.startswith("#")]
 
+
 def copy_files(file_list, dest_dir):
     """
     Copy files listed in file_list to dest_dir, preserving their relative paths.
@@ -29,6 +31,7 @@ def copy_files(file_list, dest_dir):
         shutil.copy2(abs_src, abs_dest)
         print(f"Copied {abs_src} -> {abs_dest}")
 
+
 def ensure_git_repo(dest_dir):
     """
     Initializes a git repository in dest_dir if it's not already a git repo.
@@ -56,6 +59,7 @@ def ensure_git_repo(dest_dir):
             print(f"Failed to ensure 'main' branch in {dest_dir}: {e}")
             sys.exit(1)
 
+
 def git_add_files(file_list, dest_dir):
     """
     Runs 'git add' on each file in file_list within dest_dir.
@@ -72,6 +76,7 @@ def git_add_files(file_list, dest_dir):
     finally:
         os.chdir(cwd)
 
+
 if __name__ == "__main__":
     if len(sys.argv) != 3:
         print("Usage: python copy_files.py <file_list.txt> <dest_dir>")

release_tools/publish_docker.py

@@ -6,31 +6,34 @@
 import subprocess
 import sys
 
+
 def get_image_digest(image_name, tag):
     result = subprocess.run(
         ["docker", "buildx", "imagetools", "inspect", f"{image_name}:{tag}"],
-        stdout=subprocess.PIPE, check=True, text=True
+        stdout=subprocess.PIPE,
+        check=True,
+        text=True,
     )
     for line in result.stdout.splitlines():
         if line.strip().startswith("Digest:"):
             return line.strip().split(":", 1)[1].strip()
     return None
 
+
 def build_and_push_image(dest_dir, image_name, tag):
     # Build
-    subprocess.run([
-        "docker", "buildx", "build", "--platform", "linux/amd64", "-t", f"{image_name}:{tag}", dest_dir
-    ], check=True)
+    subprocess.run(
+        ["docker", "buildx", "build", "--platform", "linux/amd64", "-t", f"{image_name}:{tag}", dest_dir], check=True
+    )
     # Push
-    subprocess.run([
-        "docker", "push", f"{image_name}:{tag}"
-    ], check=True)
+    subprocess.run(["docker", "push", f"{image_name}:{tag}"], check=True)
     print(f"Pushed {image_name}:{tag}")
     digest = get_image_digest(image_name, tag)
     print(f"Image digest: {digest}")
     with open("/tmp/digest.txt", "w") as f:
         f.write(digest)
 
+
 if __name__ == "__main__":
     if len(sys.argv) != 3:
         print("Usage: python build_and_publish_docker.py <ghcr_username/repo> <tag>")