Skip to content

feat(aw): updating the workflow with latest aw#6458

Merged
ChronosSF merged 1 commit intomasterfrom
sstoychev/update-agentic-lock-m
Apr 14, 2026
Merged

feat(aw): updating the workflow with latest aw#6458
ChronosSF merged 1 commit intomasterfrom
sstoychev/update-agentic-lock-m

Conversation

@ChronosSF
Copy link
Copy Markdown
Member

@ChronosSF ChronosSF commented Apr 14, 2026

Closes #

Checklist:

  • check topic's TOC/menu and paragraph headings
  • Include TOC topic labels in topic content has a valuable update, it's new or considered as preview\ beta
  • link to other topics using ../relative/path.md
  • at the References section at the end of the topic add links to topics, samples, etc
  • reference API documentation instead of adding a section with API

  • use valid component names - [Data] Grid, IgxSelectComponent, <igx-combo>
  • use spell checker tool (VS Code, Grammarly, Microsoft Editor)
  • add inline code blocks for the names of classes / tags / properties
  • add language descriptor for the code blocks
  • check broken links (use browser add-on)
  • check if sample is working and fully visible in the topic
  • check if sample is working and fully visible in the StackBlitz
  • check if code blocks match the code in StackBlitz demo


  • do not resolve requested changes (leave that to the reviewer)
  • add pending-localization label when the review of the PR is done
  • add a member from the localization team to translate it

Copilot AI review requested due to automatic review settings April 14, 2026 14:29
@ChronosSF ChronosSF merged commit dce2009 into master Apr 14, 2026
7 checks passed
@ChronosSF ChronosSF deleted the sstoychev/update-agentic-lock-m branch April 14, 2026 14:32
Copilot AI reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the generated Agentic Workflows (gh-aw) workflow to the latest gh-aw toolchain and adjusts supporting action locks accordingly.

Changes:

  • Bumps gh-aw workflow generation from v0.57.2 to v0.68.1 and updates associated Copilot CLI/AWF versions and scripts pathing.
  • Restructures the workflow into clearer phases (activation/agent/detection/safe_outputs/conclusion) with additional logging/artifacts.
  • Updates the action lock file with new pinned entries for updated actions.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
.github/workflows/sync-jp-docs.lock.yml Updates the generated sync workflow to gh-aw v0.68.1, adds/adjusts jobs, security tooling, and artifact handling.
.github/aw/actions-lock.json Adds pinned action entries for the updated workflow/toolchain.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/aw/actions-lock.json
"actions/github-script@v9": {
"repo": "actions/github-script",
"version": "v9",
"sha": "373c709c69115d41ff229c7e5df9f8788daa9553"
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.github/aw/actions-lock.json pins actions/github-script@v9 to SHA 373c709..., but this workflow primarily uses a different pinned SHA (3a2844b...) for actions/github-script v9. If the repo relies on this lock file for action validation/auditing, the workflow will be out of sync. Align the workflow to the locked SHA or update the lock entry to the SHA actually used (and avoid having two different SHAs for the same action version across the workflow).

Suggested change
"sha": "373c709c69115d41ff229c7e5df9f8788daa9553"
"sha": "FULL_SHA_MATCHING_THE_WORKFLOW_PIN_BEGINNING_WITH_3a2844b"

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/sync-jp-docs.lock.yml
- agent
if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.agent.outputs.detection_success == 'true')
- detection
if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

safe_outputs is currently gated on needs.detection.result == 'success', but the detection job also exposes detection_success/detection_conclusion outputs. If threat detection reports findings via outputs without failing the job (common for “reporting” steps), needs.detection.result can still be success and this job would proceed incorrectly. Gate on needs.detection.outputs.detection_success == 'true' (or needs.detection.outputs.detection_conclusion == 'success') to ensure safe outputs only run when detection actually passes.

Suggested change
if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.outputs.detection_success == 'true'

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/sync-jp-docs.lock.yml
sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
-- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(wc)'\'' --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,telemetry.enterprise.githubcopilot.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --image-tag 0.25.18 --skip-pull --enable-api-proxy \
-- /bin/bash -c 'node ${RUNNER_TEMP}/gh-aw/actions/copilot_driver.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The threat-detection Copilot invocation uses --allow-all-tools, which is a significant permissions expansion compared to the earlier explicit allowlist approach in this workflow. For least-privilege and to reduce the blast radius of a compromised/misbehaving detection step, restrict the toolset to only what the detection prompt requires (e.g., read-only shell commands).

Suggested change
-- /bin/bash -c 'node ${RUNNER_TEMP}/gh-aw/actions/copilot_driver.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
-- /bin/bash -c 'node ${RUNNER_TEMP}/gh-aw/actions/copilot_driver.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-tool "shell:cat" --allow-tool "shell:find" --allow-tool "shell:git diff" --allow-tool "shell:git grep" --allow-tool "shell:git ls-files" --allow-tool "shell:grep" --allow-tool "shell:head" --allow-tool "shell:ls" --allow-tool "shell:sed" --allow-tool "shell:tail" --add-dir "${GITHUB_WORKSPACE}" --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ChronosSF