diff --git a/.github/workflows/news-realtime-monitor.lock.yml b/.github/workflows/news-realtime-monitor.lock.yml index a7be9a702..ffdd629d5 100644 --- a/.github/workflows/news-realtime-monitor.lock.yml +++ b/.github/workflows/news-realtime-monitor.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"f1d0f4a9e801ef8e0a5881b2b9c29815bb7bf7fd66de14b6a0f561f753b78c16","compiler_version":"v0.68.7","agent_id":"copilot","agent_model":"claude-opus-4.7"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"d1a441c4c5fe2056d169537bc095a1bd65cfe1e2358a05e1f776021af568d6ce","compiler_version":"v0.68.7","agent_id":"copilot","agent_model":"claude-opus-4.7"} # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/setup-node","sha":"6044e13b5dc448c55e2357c09f80417699197238","version":"6044e13b5dc448c55e2357c09f80417699197238"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f52802884d655622f0a2dfd6d6a2250983c95523","version":"v0.68.7"}],"containers":[{"image":"alpine:latest"},{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.23"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.23"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.23"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.2.22"},{"image":"ghcr.io/github/github-mcp-server:v0.32.0"},{"image":"mcr.microsoft.com/playwright/mcp"},{"image":"node:25-alpine"},{"image":"node:lts-alpine"}]} # ___ _ _ # / _ \ | | (_) @@ -125,7 +125,7 @@ jobs: GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" GH_AW_INFO_STAGED: "false" - GH_AW_INFO_ALLOWED_DOMAINS: '["node","github","riksdag-regering-ai.onrender.com","api.scb.se","api.worldbank.org","data.riksdagen.se","www.riksdagen.se","riksdagen.se","www.regeringen.se","www.scb.se","regeringen.se","hack23.com","www.hack23.com","riksdagsmonitor.com","www.riksdagsmonitor.com","raw.githubusercontent.com","hack23.github.io","defaults"]' + GH_AW_INFO_ALLOWED_DOMAINS: '["node","github","riksdag-regering-ai.onrender.com","api.scb.se","api.worldbank.org","api.imf.org","data.imf.org","www.imf.org","data.riksdagen.se","www.riksdagen.se","riksdagen.se","www.regeringen.se","www.scb.se","regeringen.se","hack23.com","www.hack23.com","riksdagsmonitor.com","www.riksdagsmonitor.com","raw.githubusercontent.com","hack23.github.io","defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.23" GH_AW_INFO_AWMG_VERSION: "" @@ -206,9 +206,9 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh" { - cat << 'GH_AW_PROMPT_dc9d7a13416c7d0a_EOF' + cat << 'GH_AW_PROMPT_12cac9a7c9fdae2c_EOF' - GH_AW_PROMPT_dc9d7a13416c7d0a_EOF + GH_AW_PROMPT_12cac9a7c9fdae2c_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" @@ -216,12 +216,12 @@ jobs: cat "${RUNNER_TEMP}/gh-aw/prompts/agentic_workflows_guide.md" cat "${RUNNER_TEMP}/gh-aw/prompts/repo_memory_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_dc9d7a13416c7d0a_EOF' + cat << 'GH_AW_PROMPT_12cac9a7c9fdae2c_EOF' - Tools: add_comment, create_pull_request, dispatch_workflow, missing_tool, missing_data, noop - GH_AW_PROMPT_dc9d7a13416c7d0a_EOF + Tools: add_comment, create_pull_request(max:3), dispatch_workflow, missing_tool, missing_data, noop + GH_AW_PROMPT_12cac9a7c9fdae2c_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_create_pull_request.md" - cat << 'GH_AW_PROMPT_dc9d7a13416c7d0a_EOF' + cat << 'GH_AW_PROMPT_12cac9a7c9fdae2c_EOF' The following GitHub context information is available for this workflow: @@ -251,12 +251,12 @@ jobs: {{/if}} - GH_AW_PROMPT_dc9d7a13416c7d0a_EOF + GH_AW_PROMPT_12cac9a7c9fdae2c_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_dc9d7a13416c7d0a_EOF' + cat << 'GH_AW_PROMPT_12cac9a7c9fdae2c_EOF' {{#runtime-import .github/workflows/news-realtime-monitor.md}} - GH_AW_PROMPT_dc9d7a13416c7d0a_EOF + GH_AW_PROMPT_12cac9a7c9fdae2c_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 @@ -504,16 +504,16 @@ jobs: mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_b86d7127fbefdaeb_EOF' - {"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":1,"max_patch_size":4096,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","AGENTS.md","CLAUDE.md","GEMINI.md"],"protected_path_prefixes":[".github/",".agents/"]},"create_report_incomplete_issue":{},"dispatch_workflow":{"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]},"report_incomplete":{}} - GH_AW_SAFE_OUTPUTS_CONFIG_b86d7127fbefdaeb_EOF + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_218cd03549ed72be_EOF' + {"add_comment":{"max":1},"create_pull_request":{"draft":false,"expires":336,"labels":["agentic-news","analysis-data"],"max":3,"max_patch_size":4096,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","AGENTS.md","CLAUDE.md","GEMINI.md"],"protected_path_prefixes":[".github/",".agents/"]},"create_report_incomplete_issue":{},"dispatch_workflow":{"aw_context_workflows":["news-translate"],"max":1,"workflow_files":{"news-translate":".lock.yml"},"workflows":["news-translate"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":50,"max_file_size":51200,"max_patch_size":51200}]},"report_incomplete":{}} + GH_AW_SAFE_OUTPUTS_CONFIG_218cd03549ed72be_EOF - name: Write Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | { "description_suffixes": { "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added. Supports reply_to_id for discussion threading.", - "create_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be created. Labels [\"agentic-news\" \"analysis-data\"] will be automatically added." + "create_pull_request": " CONSTRAINTS: Maximum 3 pull request(s) can be created. Labels [\"agentic-news\" \"analysis-data\"] will be automatically added." }, "repo_params": {}, "dynamic_tools": [ @@ -536,6 +536,11 @@ jobs: "description": "Article type to translate (propositions, motions, committee-reports, week-ahead, month-ahead, weekly-review, monthly-review, breaking, evening-analysis, deep-inspection, interpellations). Leave empty to scan for all untranslated articles.", "type": "string" }, + "aw_context": { + "default": "", + "description": "Agent caller context (used internally by Agentic Workflows).", + "type": "string" + }, "languages": { "default": "all-extra", "description": "Target languages (da,no,fi,de,fr,es,nl,ar,he,ja,ko,zh | nordic-extra | eu-extra | cjk | rtl | all-extra). Default: all-extra (all except en,sv)", @@ -767,7 +772,7 @@ jobs: mkdir -p /home/runner/.copilot GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_6b5e1c48b65ab8c4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_d97e41f5445c1b98_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "agenticworkflows": { @@ -897,7 +902,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_6b5e1c48b65ab8c4_EOF + GH_AW_MCP_CONFIG_d97e41f5445c1b98_EOF - name: Download activation artifact uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -923,7 +928,7 @@ jobs: export GH_AW_NODE_BIN (umask 177 && touch /tmp/gh-aw/agent-stdio.log) # shellcheck disable=SC1003 - sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.scb.se,api.snapcraft.io,api.worldbank.org,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,data.riksdagen.se,deb.nodesource.com,deno.land,docs.github.com,esm.sh,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,googleapis.deno.dev,googlechromelabs.github.io,hack23.com,hack23.github.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,regeringen.se,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,riksdag-regering-ai.onrender.com,riksdagen.se,riksdagsmonitor.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,storage.googleapis.com,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com,www.hack23.com,www.npmjs.com,www.npmjs.org,www.regeringen.se,www.riksdagen.se,www.riksdagsmonitor.com,www.scb.se,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --image-tag 0.25.23 --skip-pull --enable-api-proxy \ + sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.imf.org,api.individual.githubcopilot.com,api.npms.io,api.scb.se,api.snapcraft.io,api.worldbank.org,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,data.imf.org,data.riksdagen.se,deb.nodesource.com,deno.land,docs.github.com,esm.sh,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,googleapis.deno.dev,googlechromelabs.github.io,hack23.com,hack23.github.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,regeringen.se,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,riksdag-regering-ai.onrender.com,riksdagen.se,riksdagsmonitor.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,storage.googleapis.com,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com,www.hack23.com,www.imf.org,www.npmjs.com,www.npmjs.org,www.regeringen.se,www.riksdagen.se,www.riksdagsmonitor.com,www.scb.se,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --image-tag 0.25.23 --skip-pull --enable-api-proxy \ -- /bin/bash -c '${GH_AW_NODE_BIN:-node} ${RUNNER_TEMP}/gh-aw/actions/copilot_driver.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -1012,7 +1017,7 @@ jobs: uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 env: GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.scb.se,api.snapcraft.io,api.worldbank.org,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,data.riksdagen.se,deb.nodesource.com,deno.land,docs.github.com,esm.sh,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,googleapis.deno.dev,googlechromelabs.github.io,hack23.com,hack23.github.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,localhost,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,regeringen.se,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,riksdag-regering-ai.onrender.com,riksdagen.se,riksdagsmonitor.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,storage.googleapis.com,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com,www.hack23.com,www.npmjs.com,www.npmjs.org,www.regeringen.se,www.riksdagen.se,www.riksdagsmonitor.com,www.scb.se,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.imf.org,api.individual.githubcopilot.com,api.npms.io,api.scb.se,api.snapcraft.io,api.worldbank.org,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,data.imf.org,data.riksdagen.se,deb.nodesource.com,deno.land,docs.github.com,esm.sh,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,googleapis.deno.dev,googlechromelabs.github.io,hack23.com,hack23.github.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,localhost,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,regeringen.se,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,riksdag-regering-ai.onrender.com,riksdagen.se,riksdagsmonitor.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,storage.googleapis.com,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com,www.hack23.com,www.imf.org,www.npmjs.com,www.npmjs.org,www.regeringen.se,www.riksdagen.se,www.riksdagsmonitor.com,www.scb.se,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: @@ -1581,10 +1586,10 @@ jobs: uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 env: GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }} - GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.scb.se,api.snapcraft.io,api.worldbank.org,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,data.riksdagen.se,deb.nodesource.com,deno.land,docs.github.com,esm.sh,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,googleapis.deno.dev,googlechromelabs.github.io,hack23.com,hack23.github.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,localhost,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,regeringen.se,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,riksdag-regering-ai.onrender.com,riksdagen.se,riksdagsmonitor.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,storage.googleapis.com,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com,www.hack23.com,www.npmjs.com,www.npmjs.org,www.regeringen.se,www.riksdagen.se,www.riksdagsmonitor.com,www.scb.se,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.imf.org,api.individual.githubcopilot.com,api.npms.io,api.scb.se,api.snapcraft.io,api.worldbank.org,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,data.imf.org,data.riksdagen.se,deb.nodesource.com,deno.land,docs.github.com,esm.sh,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,googleapis.deno.dev,googlechromelabs.github.io,hack23.com,hack23.github.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,localhost,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,regeringen.se,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,riksdag-regering-ai.onrender.com,riksdagen.se,riksdagsmonitor.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,storage.googleapis.com,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com,www.hack23.com,www.imf.org,www.npmjs.com,www.npmjs.org,www.regeringen.se,www.riksdagen.se,www.riksdagsmonitor.com,www.scb.se,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"create_pull_request\":{\"draft\":false,\"expires\":336,\"labels\":[\"agentic-news\",\"analysis-data\"],\"max\":1,\"max_patch_size\":4096,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"CODEOWNERS\",\"AGENTS.md\",\"CLAUDE.md\",\"GEMINI.md\"],\"protected_path_prefixes\":[\".github/\",\".agents/\"]},\"create_report_incomplete_issue\":{},\"dispatch_workflow\":{\"max\":1,\"workflow_files\":{\"news-translate\":\".lock.yml\"},\"workflows\":[\"news-translate\"]},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"create_pull_request\":{\"draft\":false,\"expires\":336,\"labels\":[\"agentic-news\",\"analysis-data\"],\"max\":3,\"max_patch_size\":4096,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"CODEOWNERS\",\"AGENTS.md\",\"CLAUDE.md\",\"GEMINI.md\"],\"protected_path_prefixes\":[\".github/\",\".agents/\"]},\"create_report_incomplete_issue\":{},\"dispatch_workflow\":{\"aw_context_workflows\":[\"news-translate\"],\"max\":1,\"workflow_files\":{\"news-translate\":\".lock.yml\"},\"workflows\":[\"news-translate\"]},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}" GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }} with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/news-realtime-monitor.md b/.github/workflows/news-realtime-monitor.md index e5a4d2486..df3d44d49 100644 --- a/.github/workflows/news-realtime-monitor.md +++ b/.github/workflows/news-realtime-monitor.md @@ -130,6 +130,7 @@ safe-outputs: labels: [agentic-news, analysis-data] draft: false expires: 14d + max: 3 add-comment: {} dispatch-workflow: workflows: [news-translate] @@ -302,9 +303,13 @@ You are the **Real-Time Political Monitor** for Riksdagsmonitor. Detect signific Uses `memory/news-generation` branch. START: read `memory/news-generation/last-run-news-realtime-monitor.json` + `memory/news-generation/covered-documents/{YYYY-MM-DD}.json`. END: update both + `memory/news-generation/translation-status.json`. Skip already-covered dok_ids. -## ⏱️ Time Budget (45 minutes) — ENFORCED Minimum 40 Minutes +## ⏱️ Time Budget (45 minutes) — ROLLING PRs KEEP THE SESSION ALIVE -> 🔴 **SYSTEMIC ISSUE IDENTIFIED (PR #1794 audit, 2026-04-16)**: ALL news workflows were completing in 13-22 minutes of their 45-minute allocation, producing shallow analysis with unenriched script stubs. The agent MUST use at least 40 of the 45 allocated minutes. Completion before 40 minutes = insufficient iteration = REJECTED quality. +> 🔴 **PRODUCTION INCIDENT (2026-04-20, run 24672037751)**: The agent wrote both EN (3,344 words) and SV (2,774 words) breaking articles, committed locally, then called `safeoutputs___create_pull_request` at **minute ~33**. All four safeoutputs calls (`create_pull_request`, `noop`, `missing_tool`, `report_incomplete`) failed with `session not found` — the safeoutputs MCP session had expired from idle. **All work lost.** + +> 🟢 **SESSION KEEP-ALIVE STRATEGY (this workflow, `create-pull-request.max: 3`)**: Every `safeoutputs___create_pull_request` call **refreshes the Streamable HTTP MCP session idle timer**. Instead of rushing all work into a single monolithic PR before minute 28, the agent now opens up to **3 rolling PRs** — each call keeps the session alive and captures an additional batch of work. This is the same pattern PR #1768 proved successful for `news-translate.md` (where it went from "all work lost at minute 50" to "5 batch PRs over 55 minutes, zero session expiries"). See `SHARED_PROMPT_PATTERNS.md` §"Universal Safe Output Rules". + +> 🔴 **SYSTEMIC ISSUE IDENTIFIED (PR #1794 audit, 2026-04-16)**: Prior news workflows were completing in 13–22 minutes, producing shallow analysis with unenriched script stubs. The agent MUST spend at least **22 minutes on analysis** (15 min Pass 1 + 7 min Pass 2). Completion before 22 minutes of analysis = insufficient iteration = REJECTED quality. ```bash date +%s > /tmp/start_time.txt @@ -315,16 +320,19 @@ read START_TIME < /tmp/start_time.txt |-------|---------|--------| | Setup | 0–3 | Date check, `get_sync_status()` warm-up | | Download | 3–6 | Run data download scripts (MCP data fetch) | -| **AI Analysis Pass 1** | **6–21** | **🚨 MANDATORY 15 min minimum**: Read ALL methodology guides, create per-file analysis for EVERY document with Mermaid diagrams, evidence tables, SWOT entries. | -| **AI Analysis Pass 2** | **21–28** | **🚨 MANDATORY 7 min minimum**: Read ALL analysis back, improve every section, add cross-references, replace ALL script stubs. Run enrichment verification gate. | -| Detect | 28–30 | Run minimum time gate + enrichment verification gate. Query MCP for today's activity. | -| Generate | 30–36 | Run `generate-news-enhanced.ts` script. | -| **Article Improvement** | **36–40** | **🚨 MANDATORY**: Read ALL articles back, replace AI_MUST_REPLACE markers, improve content, run article quality gate. | -| Validate | 40–42 | Run `validate-news-generation.sh` | -| Commit+PR | 42–45 | `git add && git commit`, then `safeoutputs___create_pull_request` | +| **AI Analysis Pass 1** | **6–18** | **🚨 MANDATORY 12 min minimum**: Read methodology guides, create per-file analysis for EVERY document with Mermaid diagrams, evidence tables, SWOT entries. | +| Generate (initial) | 18–22 | Run `generate-news-enhanced.ts`; write a first real pass of the EN + SV articles (lead-story aligned; zero markers). | +| **PR #1 — heartbeat + initial batch** | **22–25** | 🚨 **HARD MIN: by minute 25.** `git add && git commit`, then `safeoutputs___create_pull_request` (title `🔴 Breaking $HHMM: {headline} - {date}` — initial batch). This keeps the session alive AND guarantees no work is lost if later phases fail. After the call succeeds, run `git checkout main` to avoid appending to a frozen patch. | +| **AI Analysis Pass 2** | **25–32** | **🚨 MANDATORY 7 min minimum**: Read ALL analysis back, improve every section, add cross-references, replace remaining script stubs. Run enrichment verification gate. | +| **Article Improvement** | **32–38** | **🚨 MANDATORY**: Read articles back, expand evidence citations, deepen SWOT/risk tables, replace any residual placeholders, run article quality gate. | +| Validate + fix-refs | 38–40 | Run `validate-news-generation.sh` and `fix-analysis-references.ts`. | +| **PR #2 — improvements batch** | **40–43** | Commit the improved articles + enriched analysis on a fresh branch (`git checkout main` first!), then `safeoutputs___create_pull_request` again (title `🔴 Breaking $HHMM (improved): {headline} - {date}`). This second call also refreshes the session. | +| Post-PR cleanup | 43–45 | Update repo-memory (`/tmp/gh-aw/repo-memory/default/*.json`) — artifact uploads, NOT PR content, so they run after the final PR call. Optional PR #3 if additional articles exist. | +| **HARD DEADLINE** | **43** | 🚨 Never exit without at least one `safeoutputs___create_pull_request` call if ANY files were created. ONLY call `safeoutputs___noop` if truly ZERO files were created. Never noop when files exist. | + +> ⚠️ **Why rolling PRs answer "keep the session alive":** the safeoutputs MCP Streamable HTTP session dies from idle (~30–35 min observed). A single PR call at minute 42 is past expiry. Two PR calls at minutes 22 and 42 each re-exercise the session, keeping it healthy. PR #1 is the **safety net** (guarantees work is captured); PR #2 is the **quality upgrade** (captures Pass 2 improvements). This is exactly how `news-translate.md` uses `max: 5` — see its §"RULE 1: `safeoutputs___create_pull_request` Freezes the Patch — Use Rolling Batches". -| **HARD DEADLINE** | **43–45** | 🚨 If no safe output yet: if ANY artifacts/files were created, IMMEDIATELY stage, commit, call `safeoutputs___create_pull_request` with partial work. ONLY call `safeoutputs___noop` if truly ZERO files were created. | -> ⚠️ **Analysis phase is 15 minutes minimum before article generation, and total analysis+generation+article improvement work is 40 minutes minimum before validation** — this is NOT negotiable. PR #1452 demonstrated that < 10 min produces unacceptable analysis. PR #1794 demonstrated that 15 min total = shallow articles missing SWOT tables, Mermaid diagrams, risk matrices. The AI MUST use the full time allocation. +> ⚠️ **Analysis phase is 22 minutes minimum (Pass 1: 12 min + Pass 2: 7 min + Improvement: 3 min or more) — this is NOT negotiable.** PR #1452 demonstrated that < 10 min produces unacceptable analysis. PR #1794 demonstrated that 15 min total = shallow articles missing SWOT tables, Mermaid diagrams, risk matrices. With rolling PRs, Pass 2 + Improvement run AFTER PR #1 is safely committed — so quality iteration no longer risks losing everything. > 🔴 **MINIMUM TIME ENFORCEMENT**: Before proceeding to article generation, the agent MUST run the Minimum Analysis Time Gate AND the Analysis Enrichment Verification Gate from SHARED_PROMPT_PATTERNS.md. Both gates MUST pass before article generation begins. @@ -345,9 +353,10 @@ read AW_NOW < /tmp/now_time.txt ELAPSED=$(( AW_NOW - START_TIME )) echo "⏱️ Elapsed: $((ELAPSED / 60))m $((ELAPSED % 60))s" ``` -- `>= 35 min` → Stop generating, commit what you have, create PR immediately -- `>= 40 min` → STOP ALL WORK, call safe output tool (`safeoutputs___noop` or `safeoutputs___create_pull_request`) IMMEDIATELY — do NOT run any more bash commands -- **CRITICAL**: If you have not called a safe output tool and time is running out, call `safeoutputs___noop` immediately. Failing to call a safe output tool causes a workflow failure. +- `>= 22 min` and no PR #1 called yet → commit initial articles and call `safeoutputs___create_pull_request` immediately (this is the session-heartbeat moment) +- `>= 28 min` and no PR #1 called yet → 🚨 **SESSION EXPIRY IMMINENT** — STOP ALL WORK, stage + commit everything, call `safeoutputs___create_pull_request` with whatever exists. Partial work in a PR is infinitely better than `session not found`. +- `>= 43 min` → call final `safeoutputs___create_pull_request` for any improved/additional batch, then stop. +- **CRITICAL — UNIVERSAL SAFE OUTPUT RULE (from SHARED_PROMPT_PATTERNS.md)**: If ANY files were created/modified → ALWAYS `safeoutputs___create_pull_request`. NEVER `safeoutputs___noop` when artifacts exist. Noop means "I did nothing" and loses everything. Noop is ONLY valid when zero files were produced (MCP unreachable, truly no significant events). ## Step 1: Date Validation & MANDATORY MCP Health Check @@ -816,12 +825,22 @@ Content workflows: only create/modify **EN and SV** files (`news/YYYY-MM-DD-*-en Branch: `news/content/{YYYY-MM-DD}/breaking`. `safeoutputs___create_pull_request` handles this automatically. -## Step 5: Commit & Create PR +## Step 5: Commit & Create PR — ROLLING BATCHES (up to 3 PRs per run) ### HOW SAFE PR CREATION WORKS ⚠️ DO NOT use `git push` — the safe output tool handles publishing. Commit locally, then use the tool. +> 🚨 **`safeoutputs___create_pull_request` freezes the patch at call time AND refreshes the MCP session.** A separate `safe_outputs` job (after the agent job ends) creates the branch and opens each PR. **Commits made after a given call are NOT added to that PR** (PR #1835). But because this workflow now has `create-pull-request.max: 3`, you can call the tool up to **3 times per run** — each call captures a new batch AND refreshes the Streamable HTTP MCP session idle timer. This is how we "keep the session alive" over the full 45-minute window. +> +> **Required pattern:** +> 1. **PR #1 (minute 22–25 — MANDATORY first call, session heartbeat #1)**: initial EN + SV articles + Pass 1 analysis. Title: `🔴 Breaking $HHMM: {headline} - $ARTICLE_DATE`. +> 2. After PR #1 succeeds, run `git checkout main` (or any branch other than the PR branch) before editing further files. Commits stacked onto the same branch after the call are silently discarded from the frozen patch (see PR #1835). +> 3. **PR #2 (minute 40–43 — session heartbeat #2)**: Pass 2 improvements + enriched analysis + fixed references. Title: `🔴 Breaking $HHMM (improved): {headline} - $ARTICLE_DATE`. +> 4. **PR #3 (optional, if additional HIGH/MEDIUM events discovered later in the run)**: extra article(s) on a new branch. +> 5. Repo-memory updates (`/tmp/gh-aw/repo-memory/default/*.json`) are artifact uploads, not PR content — safe to run after the final PR call. +> 6. If `safeoutputs___create_pull_request` returns `session not found` on any call, every subsequent safeoutputs call will also fail — recover is impossible. The rolling-batch pattern is specifically designed to prevent this by exercising the session at least twice. + ```bash # Stage articles and analysis — scoped to this run's time-stamped folder to prevent overwriting other runs [ -f /tmp/hhmm.env ] && . /tmp/hhmm.env @@ -908,9 +927,10 @@ See `SHARED_PROMPT_PATTERNS.md` §"Standardised Analysis Depth Gate" and §"MAND | Timeout | MCP server response exceeds `timeout-minutes` | Reduce query scope or increase timeout | | Script timeout | Generation script exceeds 20-minute limit | Proceed with whatever was generated; the `timeout 1200` wrapper kills the script | | Stale data | `hoursSinceSync > 48` from `get_sync_status()` | Add disclaimer noting data staleness; proceed with cached data | -| Time running out | Elapsed >= 35 minutes | IMMEDIATELY call `safeoutputs___noop` or `safeoutputs___create_pull_request` — do NOT start new work | +| Time running out | Elapsed >= 22 minutes and no safeoutputs call yet | IMMEDIATELY commit any staged/unstaged articles and call `safeoutputs___create_pull_request` (PR #1, session heartbeat). Then `git checkout main` and continue improving for PR #2. Do NOT noop if files exist. | +| safeoutputs `session not found` | Delayed the **first** `safeoutputs___create_pull_request` past the ~30–35 min session lifetime (see run 24672037751). Once the session dies, ALL subsequent intent calls fail. | UNRECOVERABLE once it happens. **Prevention: call `safeoutputs___create_pull_request` by minute 25 (PR #1) and again by minute 43 (PR #2). Each call refreshes the session idle timer.** `create-pull-request.max: 3` is configured specifically to enable this keep-alive pattern. | -⚠️ **CRITICAL SAFETY NET**: Before EVERY bash block and EVERY tool call, mentally check: "Am I running out of time?" If more than 35 minutes have elapsed since workflow start, stop all work and call a safe output tool IMMEDIATELY. +⚠️ **CRITICAL SAFETY NET**: Before EVERY bash block and EVERY tool call, mentally check: "Have I called `safeoutputs___create_pull_request` yet?" If more than **22 minutes** have elapsed and PR #1 has not been created, stop all work, commit whatever articles exist, and call `safeoutputs___create_pull_request` IMMEDIATELY — this both captures work AND keeps the MCP session alive for PR #2 at minute 40–43. 🎯 **Now begin: Check date, warm up MCP with `get_sync_status()`, detect events, generate articles with the script, and call a safe output tool.**