diff --git a/.github/workflows/test-coverage-improver.lock.yml b/.github/workflows/test-coverage-improver.lock.yml
index 9401e2e8..1411cf45 100644
--- a/.github/workflows/test-coverage-improver.lock.yml
+++ b/.github/workflows/test-coverage-improver.lock.yml
@@ -1,4 +1,4 @@
-# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c895dcb83e14c3dc8a53d19bea5901ec2f4aa9b906414a0c87a28105ef8c5865","compiler_version":"v0.72.1","strict":true,"agent_id":"copilot"}
+# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"946a0320288b84933258a811004c22667783c3339c6de5a586218233c17b9c70","compiler_version":"v0.72.1","strict":true,"agent_id":"copilot"}
# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"bc56a0cad2f450c562810785ef38649c04db812a","version":"v0.72.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.29","digest":"sha256:e68f37e36962dcb3f3d1de680a49bc2302cefd001b941a7dc377155ec7ce42f4","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.29@sha256:e68f37e36962dcb3f3d1de680a49bc2302cefd001b941a7dc377155ec7ce42f4"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.29","digest":"sha256:d1219e4110684402aabbeb5a43858f26790c9d0be210581cf3f7a521bd2c87b6","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.29@sha256:d1219e4110684402aabbeb5a43858f26790c9d0be210581cf3f7a521bd2c87b6"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.29","digest":"sha256:8a71ad9e40454051672312917e51567abfb8251d7c294d086c48f63d84e4cb53","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.29@sha256:8a71ad9e40454051672312917e51567abfb8251d7c294d086c48f63d84e4cb53"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.6","digest":"sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c"},{"image":"ghcr.io/github/github-mcp-server:v1.0.3","digest":"sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
# ___ _ _
# / _ \ | | (_)
@@ -22,7 +22,7 @@
#
# For more information: https://github.github.com/gh-aw/introduction/overview/
#
-# Twice-daily workflow that analyzes test coverage, identifies under-tested security-critical code paths,
+# Daily workflow that analyzes test coverage, identifies under-tested security-critical code paths,
# and creates PRs with additional tests. Focuses on iptables manipulation, Squid ACL rules,
# container security, and domain validation - the core security components of the firewall.
#
@@ -53,7 +53,7 @@
name: "Test Coverage Improver"
"on":
schedule:
- - cron: "0 8,20 * * *"
+ - cron: "0 8 * * *"
# skip-if-match: # Skip-if-match processed as search check in pre-activation job
# max: 1
# query: is:pr is:open in:title "[Test Coverage]"
@@ -170,7 +170,6 @@ jobs:
env:
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
GH_AW_SAFE_OUTPUTS: ${{ runner.temp }}/gh-aw/safeoutputs/outputs.jsonl
- GH_AW_EXPR_4E3B1F6D: ${{ steps.coverage-summary.outputs.COVERAGE_JSON }}
GH_AW_EXPR_998C0DF8: ${{ steps.low-coverage.outputs.LOW_COVERAGE }}
GH_AW_EXPR_BCB09072: ${{ steps.coverage-md.outputs.COVERAGE_MD }}
GH_AW_GITHUB_ACTOR: ${{ github.actor }}
@@ -185,23 +184,23 @@ jobs:
run: |
bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh"
{
- cat << 'GH_AW_PROMPT_7f6d64c528530218_EOF'
+ cat << 'GH_AW_PROMPT_69ff9e09e27e4126_EOF'
- GH_AW_PROMPT_7f6d64c528530218_EOF
+ GH_AW_PROMPT_69ff9e09e27e4126_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_7f6d64c528530218_EOF'
+ cat << 'GH_AW_PROMPT_69ff9e09e27e4126_EOF'
Tools: add_comment, create_pull_request, missing_tool, missing_data, noop
- GH_AW_PROMPT_7f6d64c528530218_EOF
+ GH_AW_PROMPT_69ff9e09e27e4126_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_create_pull_request.md"
- cat << 'GH_AW_PROMPT_7f6d64c528530218_EOF'
+ cat << 'GH_AW_PROMPT_69ff9e09e27e4126_EOF'
- GH_AW_PROMPT_7f6d64c528530218_EOF
+ GH_AW_PROMPT_69ff9e09e27e4126_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md"
- cat << 'GH_AW_PROMPT_7f6d64c528530218_EOF'
+ cat << 'GH_AW_PROMPT_69ff9e09e27e4126_EOF'
The following GitHub context information is available for this workflow:
{{#if __GH_AW_GITHUB_ACTOR__ }}
@@ -230,12 +229,12 @@ jobs:
{{/if}}
- GH_AW_PROMPT_7f6d64c528530218_EOF
+ GH_AW_PROMPT_69ff9e09e27e4126_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_7f6d64c528530218_EOF'
+ cat << 'GH_AW_PROMPT_69ff9e09e27e4126_EOF'
{{#runtime-import .github/workflows/test-coverage-improver.md}}
- GH_AW_PROMPT_7f6d64c528530218_EOF
+ GH_AW_PROMPT_69ff9e09e27e4126_EOF
} > "$GH_AW_PROMPT"
- name: Interpolate variables and render templates
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
@@ -244,7 +243,6 @@ jobs:
GH_AW_ENGINE_ID: "copilot"
GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
GH_AW_EXPR_BCB09072: ${{ steps.coverage-md.outputs.COVERAGE_MD }}
- GH_AW_EXPR_4E3B1F6D: ${{ steps.coverage-summary.outputs.COVERAGE_JSON }}
GH_AW_EXPR_998C0DF8: ${{ steps.low-coverage.outputs.LOW_COVERAGE }}
with:
script: |
@@ -256,7 +254,6 @@ jobs:
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
env:
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_EXPR_4E3B1F6D: ${{ steps.coverage-summary.outputs.COVERAGE_JSON }}
GH_AW_EXPR_998C0DF8: ${{ steps.low-coverage.outputs.LOW_COVERAGE }}
GH_AW_EXPR_BCB09072: ${{ steps.coverage-md.outputs.COVERAGE_MD }}
GH_AW_GITHUB_ACTOR: ${{ github.actor }}
@@ -280,7 +277,6 @@ jobs:
return await substitutePlaceholders({
file: process.env.GH_AW_PROMPT,
substitutions: {
- GH_AW_EXPR_4E3B1F6D: process.env.GH_AW_EXPR_4E3B1F6D,
GH_AW_EXPR_998C0DF8: process.env.GH_AW_EXPR_998C0DF8,
GH_AW_EXPR_BCB09072: process.env.GH_AW_EXPR_BCB09072,
GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR,
@@ -393,9 +389,6 @@ jobs:
- id: coverage
name: Run coverage
run: npm run test:coverage 2>&1 | tail -10
- - id: coverage-summary
- name: Read coverage summary JSON
- run: "{\n echo \"COVERAGE_JSON<> \"$GITHUB_OUTPUT\"\n"
- id: coverage-md
name: Read COVERAGE_SUMMARY.md
run: "{\n echo \"COVERAGE_MD</dev/null || echo \"(COVERAGE_SUMMARY.md not found)\"\n echo \"EOF\"\n} >> \"$GITHUB_OUTPUT\"\n"
@@ -492,9 +485,9 @@ jobs:
mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs"
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_c427d4df34e9dbf4_EOF'
+ cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_8f50a7528d341de8_EOF'
{"add_comment":{"max":1,"target":"*"},"create_pull_request":{"draft":true,"max":1,"max_patch_files":100,"max_patch_size":1024,"protect_top_level_dot_folders":true,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","DESIGN.md","README.md","CONTRIBUTING.md","CHANGELOG.md","SECURITY.md","CODE_OF_CONDUCT.md","AGENTS.md","CLAUDE.md","GEMINI.md"],"title_prefix":"[Test Coverage] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}}
- GH_AW_SAFE_OUTPUTS_CONFIG_c427d4df34e9dbf4_EOF
+ GH_AW_SAFE_OUTPUTS_CONFIG_8f50a7528d341de8_EOF
- name: Generate Safe Outputs Tools
env:
GH_AW_TOOLS_META_JSON: |
@@ -725,7 +718,7 @@ jobs:
mkdir -p /home/runner/.copilot
GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)
- cat << GH_AW_MCP_CONFIG_c6684fba3d6dbbfc_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
+ cat << GH_AW_MCP_CONFIG_52cb9d95c5a00c66_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
{
"mcpServers": {
"github": {
@@ -766,7 +759,7 @@ jobs:
"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
}
}
- GH_AW_MCP_CONFIG_c6684fba3d6dbbfc_EOF
+ GH_AW_MCP_CONFIG_52cb9d95c5a00c66_EOF
- name: Mount MCP servers as CLIs
id: mount-mcp-clis
continue-on-error: true
@@ -817,10 +810,8 @@ jobs:
# --allow-tool shell(ls:coverage)
# --allow-tool shell(ls:src)
# --allow-tool shell(ls:tests)
- # --allow-tool shell(npm run build)
# --allow-tool shell(npm run lint)
# --allow-tool shell(npm run test)
- # --allow-tool shell(npm run test:coverage)
# --allow-tool shell(pwd)
# --allow-tool shell(safeoutputs:*)
# --allow-tool shell(sort)
@@ -840,7 +831,7 @@ jobs:
printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.29/awf-config.schema.json","network":{"allowDomains":["*.githubusercontent.com","api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","codeload.github.com","docs.github.com","github-cloud.githubusercontent.com","github-cloud.s3.amazonaws.com","github.blog","github.com","github.githubassets.com","host.docker.internal","lfs.github.com","objects.githubusercontent.com","raw.githubusercontent.com","registry.npmjs.org","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true,"models":{"auto":["large"],"deep-research":["copilot/deep-research*","copilot/o3-deep-research*","copilot/o4-mini-deep-research*","google/deep-research*","openai/o3-deep-research*","openai/o4-mini-deep-research*"],"gemini-flash":["copilot/gemini-*flash*","google/gemini-*flash*"],"gemini-pro":["copilot/gemini-*pro*","google/gemini-*pro*"],"gpt-4.1":["copilot/gpt-4.1*","openai/gpt-4.1*"],"gpt-5":["copilot/gpt-5*","openai/gpt-5*"],"gpt-5-codex":["copilot/gpt-5*codex*","openai/gpt-5*codex*"],"gpt-5-mini":["copilot/gpt-5*mini*","openai/gpt-5*mini*"],"gpt-5-nano":["copilot/gpt-5*nano*","openai/gpt-5*nano*"],"gpt-5-pro":["copilot/gpt-5*pro*","openai/gpt-5*pro*"],"haiku":["copilot/*haiku*","anthropic/*haiku*"],"large":["sonnet","gpt-5-pro","gpt-5","gemini-pro"],"mini":["haiku","gpt-5-mini","gpt-5-nano","gemini-flash"],"opus":["copilot/*opus*","anthropic/*opus*"],"reasoning":["copilot/o1*","copilot/o3*","copilot/o4*","openai/o1*","openai/o3*","openai/o4*"],"small":["mini"],"sonnet":["copilot/*sonnet*","anthropic/*sonnet*"]}},"container":{"imageTag":"0.25.29,squid=sha256:8a71ad9e40454051672312917e51567abfb8251d7c294d086c48f63d84e4cb53,agent=sha256:e68f37e36962dcb3f3d1de680a49bc2302cefd001b941a7dc377155ec7ce42f4,agent-act=sha256:97b4cc14dc2123a45b9d5b9927489f66882dec5857de6afc0e5bab257be92ef1,api-proxy=sha256:d1219e4110684402aabbeb5a43858f26790c9d0be210581cf3f7a521bd2c87b6,cli-proxy=sha256:29917488eb90a01ff9544ffeeb5cc26434a8ea16d69ae8972f5f6be0e567e276"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" && cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
# shellcheck disable=SC1003
sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --session-state-dir /tmp/gh-aw/sandbox/agent/session-state --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
- -- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(cat:coverage/coverage-summary.json)'\'' --allow-tool '\''shell(cat:jest.config.js)'\'' --allow-tool '\''shell(cat:jest.config.ts)'\'' --allow-tool '\''shell(cat:src/*.test.ts)'\'' --allow-tool '\''shell(cat:src/*.ts)'\'' --allow-tool '\''shell(cat:tests/**)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(git add:*)'\'' --allow-tool '\''shell(git branch:*)'\'' --allow-tool '\''shell(git checkout:*)'\'' --allow-tool '\''shell(git commit:*)'\'' --allow-tool '\''shell(git merge:*)'\'' --allow-tool '\''shell(git rm:*)'\'' --allow-tool '\''shell(git status)'\'' --allow-tool '\''shell(git switch:*)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(head:*)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(ls:coverage)'\'' --allow-tool '\''shell(ls:src)'\'' --allow-tool '\''shell(ls:tests)'\'' --allow-tool '\''shell(npm run build)'\'' --allow-tool '\''shell(npm run lint)'\'' --allow-tool '\''shell(npm run test)'\'' --allow-tool '\''shell(npm run test:coverage)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(safeoutputs:*)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(tail:*)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
+ -- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(cat:coverage/coverage-summary.json)'\'' --allow-tool '\''shell(cat:jest.config.js)'\'' --allow-tool '\''shell(cat:jest.config.ts)'\'' --allow-tool '\''shell(cat:src/*.test.ts)'\'' --allow-tool '\''shell(cat:src/*.ts)'\'' --allow-tool '\''shell(cat:tests/**)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(git add:*)'\'' --allow-tool '\''shell(git branch:*)'\'' --allow-tool '\''shell(git checkout:*)'\'' --allow-tool '\''shell(git commit:*)'\'' --allow-tool '\''shell(git merge:*)'\'' --allow-tool '\''shell(git rm:*)'\'' --allow-tool '\''shell(git status)'\'' --allow-tool '\''shell(git switch:*)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(head:*)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(ls:coverage)'\'' --allow-tool '\''shell(ls:src)'\'' --allow-tool '\''shell(ls:tests)'\'' --allow-tool '\''shell(npm run lint)'\'' --allow-tool '\''shell(npm run test)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(safeoutputs:*)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(tail:*)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
env:
AWF_REFLECT_ENABLED: 1
COPILOT_AGENT_RUNNER_TYPE: STANDALONE
diff --git a/.github/workflows/test-coverage-improver.md b/.github/workflows/test-coverage-improver.md
index c5e4ebee..ea721c79 100644
--- a/.github/workflows/test-coverage-improver.md
+++ b/.github/workflows/test-coverage-improver.md
@@ -1,12 +1,12 @@
---
description: |
- Twice-daily workflow that analyzes test coverage, identifies under-tested security-critical code paths,
+ Daily workflow that analyzes test coverage, identifies under-tested security-critical code paths,
and creates PRs with additional tests. Focuses on iptables manipulation, Squid ACL rules,
container security, and domain validation - the core security components of the firewall.
on:
schedule:
- - cron: '0 8,20 * * *'
+ - cron: '0 8 * * *'
workflow_dispatch:
skip-if-match:
query: 'is:pr is:open in:title "[Test Coverage]"'
@@ -30,9 +30,7 @@ tools:
github:
toolsets: [repos, pull_requests]
bash:
- - "npm run build"
- "npm run test"
- - "npm run test:coverage"
- "npm run lint"
- "cat:src/*.test.ts"
- "cat:src/*.ts"
@@ -68,15 +66,6 @@ steps:
run: npm run test:coverage 2>&1 | tail -10
id: coverage
- - name: Read coverage summary JSON
- id: coverage-summary
- run: |
- {
- echo "COVERAGE_JSON<> "$GITHUB_OUTPUT"
-
- name: Read COVERAGE_SUMMARY.md
id: coverage-md
run: |
@@ -238,44 +227,39 @@ describe('functionName', () => {
npm run test
```
-2. **Run coverage** to verify improvement:
- ```bash
- npm run test:coverage
- ```
-
-3. **Run linting** to ensure code quality:
+2. **Run linting** to ensure code quality:
```bash
npm run lint
```
+3. **Use the pre-computed coverage artifacts** to confirm you targeted the right gap:
+ - Review the `COVERAGE_SUMMARY.md` and low-coverage list below
+ - If you need more detail, inspect `coverage/coverage-summary.json` with the allowed `cat` tool
+
4. **Create a PR** with:
- - Clear description of what coverage was improved
- - Before/after coverage numbers
- - List of security-critical paths now covered
- - Any edge cases or error handling added
+ - Clear description of what coverage was improved
+ - Before/after coverage numbers
+ - List of security-critical paths now covered
+ - Any edge cases or error handling added
## Current Coverage Status
+Use this run-specific context after reviewing the static guidance above.
+
+| File | Expected Coverage | Priority |
+|------|-------------------|----------|
+| `src/docker-manager.ts` | <20% | High (container lifecycle) |
+| `src/cli.ts` | 0% | High (entry point) |
+| `src/host-iptables.ts` | ~84% | Medium (edge cases) |
+
### COVERAGE_SUMMARY.md
```
${{ steps.coverage-md.outputs.COVERAGE_MD }}
```
-### Coverage JSON (full)
-
-```json
-${{ steps.coverage-summary.outputs.COVERAGE_JSON }}
-```
-
### Files Below 80% Coverage
```
${{ steps.low-coverage.outputs.LOW_COVERAGE }}
```
-
-| File | Expected Coverage | Priority |
-|------|-------------------|----------|
-| `src/docker-manager.ts` | <20% | High (container lifecycle) |
-| `src/cli.ts` | 0% | High (entry point) |
-| `src/host-iptables.ts` | ~84% | Medium (edge cases) |
\ No newline at end of file