agentcore-cli/.github/workflows/strands-command.yml at 7f6cf1a704c1c475fcc4cd0e0d697fcbfc56c9bc · aws/agentcore-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Strands Command Handler

on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
  workflow_dispatch:
    inputs:
      issue_id:
        description: 'Issue ID to process (can be issue or PR number)'
        required: true
        type: string
      command:
        description: 'Strands command to execute'
        required: false
        type: string
        default: ''
      session_id:
        description: 'Optional session ID to use'
        required: false
        type: string
        default: ''

permissions:
  id-token: write
  contents: write
  pull-requests: write
  issues: write

jobs:
  strands-agent:
    if: startsWith(github.event.comment.body, '/strands') || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    steps:
      - name: Check authorization
        uses: actions/github-script@v9
        with:
          script: |
            // Skip auth check for workflow_dispatch (manual runs)
            if (context.eventName === 'workflow_dispatch') {
              console.log('✅ Manual workflow dispatch - authorized');
              return;
            }

            // Check collaborator permissions for comment triggers
            try {
              const permissionResponse = await github.rest.repos.getCollaboratorPermissionLevel({
                owner: context.repo.owner,
                repo: context.repo.repo,
                username: context.payload.comment.user.login,
              });
              const permission = permissionResponse.data.permission;
              const hasWriteAccess = ['write', 'admin'].includes(permission);

              if (!hasWriteAccess) {
                console.log(`❌ User ${context.payload.comment.user.login} does not have write access (permission: ${permission})`);
                throw new Error('Insufficient permissions');
              }

              console.log(`✅ User ${context.payload.comment.user.login} has write access`);
            } catch (error) {
              console.log(`❌ Authorization failed: ${error.message}`);
              throw error;
            }

      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Add strands-running label
        uses: actions/github-script@v9
        with:
          script: |
            const issueNumber = ${{ inputs.issue_id || github.event.issue.number || github.event.pull_request.number }};
            await github.rest.issues.addLabels({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: issueNumber,
              labels: ['strands-running']
            });

      - name: Process inputs and build prompts
        id: process-inputs
        uses: actions/github-script@v9
        with:
          script: |
            const processInputs = require('./.github/scripts/javascript/process-inputs.cjs');
            const inputs = {
              issue_id: '${{ inputs.issue_id }}',
              command: '${{ inputs.command }}',
              session_id: '${{ inputs.session_id }}'
            };
            await processInputs(context, github, core, inputs);

      - name: Generate GitHub App Token
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ vars.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}
      - name: Run Strands Agent
        uses: ./.github/actions/strands-action
        with:
          prompt: ${{ steps.process-inputs.outputs.prompt }}
          system_prompt: ${{ steps.process-inputs.outputs.system_prompt }}
          provider: 'bedrock'
          model: 'us.anthropic.claude-sonnet-4-5-20250929-v1:0'
          tools: 'strands_tools:shell,retrieve'
          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
          aws_region: 'us-west-2'
          pat_token: ${{ steps.app-token.outputs.token }}
        env:
          SESSION_ID: ${{ steps.process-inputs.outputs.session_id }}
          S3_SESSION_BUCKET: ${{ secrets.AGENT_SESSIONS_BUCKET }}
          BRANCH_NAME: ${{ steps.process-inputs.outputs.branch_name }}

      - name: Remove strands-running label
        if: always()
        uses: actions/github-script@v9
        with:
          script: |
            try {
              const issueNumber = ${{ inputs.issue_id || github.event.issue.number || github.event.pull_request.number }};
              await github.rest.issues.removeLabel({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: issueNumber,
                name: 'strands-running'
              });
            } catch (error) {
              console.log('Label removal failed (may not exist):', error.message);
            }