diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index 8cfc3fe28..136c69577 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -80,6 +80,11 @@ "version": "v4.1.0", "sha": "d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5" }, + "github/gh-aw-actions/setup@v0.79.6": { + "repo": "github/gh-aw-actions/setup", + "version": "v0.79.6", + "sha": "5c2fe865bb4dc46e1450f6ee0d0541d759aea73a" + }, "github/gh-aw/actions/setup-cli@v0.79.6": { "repo": "github/gh-aw/actions/setup-cli", "version": "v0.79.6", diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 84c3b258a..497086848 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1,7 +1,5 @@ -# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"1931d05a82aa65b2b1d5af50c9dcde1453044c61ac1c0718031eb2eca5c6b046","body_hash":"6e05820005e43b82d8112bc60ced8e13336596ae671ecac69e6c5ac691485b71","compiler_version":"v0.79.8","agent_id":"claude","agent_model":"claude-haiku-4-5","engine_versions":{"claude":"2.1.168"}} -# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6.0.3"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"c0338fef4749d08c21f8f975fb0e37efa17dda47","version":"v0.79.8"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.2","digest":"sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2","digest":"sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.2","digest":"sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.1","digest":"sha256:287fad0236959f3b3d9936ea1ef8d5b4f135ef2a5f5789713495cbbef191e60c","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.1@sha256:287fad0236959f3b3d9936ea1ef8d5b4f135ef2a5f5789713495cbbef191e60c"}]} -# This file was automatically generated by gh-aw (v0.79.8). DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md -# +# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"1931d05a82aa65b2b1d5af50c9dcde1453044c61ac1c0718031eb2eca5c6b046","body_hash":"61fdfb929477edfef0935407ef5e3016122fdda0a2bc1fb9e82755c7dbbeb886","compiler_version":"v0.79.6","agent_id":"claude","agent_model":"claude-haiku-4-5","engine_versions":{"claude":"2.1.168"}} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6.0.3"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"5c2fe865bb4dc46e1450f6ee0d0541d759aea73a","version":"v0.79.6"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.2","digest":"sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2","digest":"sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.2","digest":"sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.1","digest":"sha256:287fad0236959f3b3d9936ea1ef8d5b4f135ef2a5f5789713495cbbef191e60c","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.1@sha256:287fad0236959f3b3d9936ea1ef8d5b4f135ef2a5f5789713495cbbef191e60c"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -16,6 +14,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # +# This file was automatically generated by gh-aw (v0.79.6). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -37,7 +36,7 @@ # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 -# - github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 +# - github/gh-aw-actions/setup@5c2fe865bb4dc46e1450f6ee0d0541d759aea73a # v0.79.6 # # Container images used: # - ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6 @@ -90,9 +89,9 @@ jobs: comment_id: ${{ steps.add-comment.outputs.comment-id }} comment_repo: ${{ steps.add-comment.outputs.comment-repo }} comment_url: ${{ steps.add-comment.outputs.comment-url }} - daily_ai_credits_exceeded: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_ai_credits_exceeded == 'true' }} - daily_ai_credits_threshold: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_ai_credits_threshold || '' }} - daily_ai_credits_total_effective_tokens: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_ai_credits_total_effective_tokens || '' }} + daily_effective_workflow_exceeded: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_effective_workflow_exceeded == 'true' }} + daily_effective_workflow_threshold: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_effective_workflow_threshold || '' }} + daily_effective_workflow_total_effective_tokens: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_effective_workflow_total_effective_tokens || '' }} engine_id: ${{ steps.generate_aw_info.outputs.engine_id }} label_command: ${{ steps.get_trigger_label.outputs.label_name }} lockdown_check_failed: ${{ steps.generate_aw_info.outputs.lockdown_check_failed == 'true' }} @@ -105,7 +104,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 + uses: github/gh-aw-actions/setup@5c2fe865bb4dc46e1450f6ee0d0541d759aea73a # v0.79.6 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -124,7 +123,7 @@ jobs: GH_AW_INFO_MODEL: "claude-haiku-4-5" GH_AW_INFO_VERSION: "2.1.168" GH_AW_INFO_AGENT_VERSION: "2.1.168" - GH_AW_INFO_CLI_VERSION: "v0.79.8" + GH_AW_INFO_CLI_VERSION: "v0.79.6" GH_AW_INFO_WORKFLOW_NAME: "Smoke Claude" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" @@ -205,7 +204,7 @@ jobs: - name: Check compile-agentic version uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: - GH_AW_COMPILED_VERSION: "v0.79.8" + GH_AW_COMPILED_VERSION: "v0.79.6" with: script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); @@ -238,6 +237,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ runner.temp }}/gh-aw/safeoutputs/outputs.jsonl + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} # poutine:ignore untrusted_checkout_exec run: | bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh" @@ -260,10 +260,23 @@ jobs: {{#runtime-import .github/workflows/smoke-claude.md}} GH_AW_PROMPT_f5afdc504a9fb9eb_EOF } > "$GH_AW_PROMPT" + - name: Interpolate variables and render templates + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_ENGINE_ID: "claude" + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + with: + script: | + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io, getOctokit); + const { main } = require('${{ runner.temp }}/gh-aw/actions/interpolate_prompt.cjs'); + await main(); - name: Substitute placeholders uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_MCP_CLI_SERVERS_LIST: '- `safeoutputs` — run `safeoutputs --help` to see available tools' with: script: | @@ -276,6 +289,7 @@ jobs: return await substitutePlaceholders({ file: process.env.GH_AW_PROMPT, substitutions: { + GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, GH_AW_MCP_CLI_SERVERS_LIST: process.env.GH_AW_MCP_CLI_SERVERS_LIST } }); @@ -297,6 +311,7 @@ jobs: include-hidden-files: true path: | /tmp/gh-aw/aw_info.json + /tmp/gh-aw/model_multipliers.json /tmp/gh-aw/models.json /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/aw-prompts/prompt-template.txt @@ -310,7 +325,7 @@ jobs: agent: needs: activation - if: needs.activation.outputs.daily_ai_credits_exceeded != 'true' + if: needs.activation.outputs.daily_effective_workflow_exceeded != 'true' runs-on: ubuntu-latest permissions: contents: read @@ -344,7 +359,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 + uses: github/gh-aw-actions/setup@5c2fe865bb4dc46e1450f6ee0d0541d759aea73a # v0.79.6 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -790,6 +805,7 @@ jobs: (umask 177 && touch /tmp/gh-aw/agent-stdio.log) GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_MAX_AI_CREDITS || '1000' }}" printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.2/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"*.githubusercontent.com\",\"anthropic.com\",\"api.anthropic.com\",\"api.github.com\",\"api.snapcraft.io\",\"archive.ubuntu.com\",\"azure.archive.ubuntu.com\",\"cdn.playwright.dev\",\"codeload.github.com\",\"crl.geotrust.com\",\"crl.globalsign.com\",\"crl.identrust.com\",\"crl.sectigo.com\",\"crl.thawte.com\",\"crl.usertrust.com\",\"crl.verisign.com\",\"crl3.digicert.com\",\"crl4.digicert.com\",\"crls.ssl.com\",\"files.pythonhosted.org\",\"ghcr.io\",\"github-cloud.githubusercontent.com\",\"github-cloud.s3.amazonaws.com\",\"github.com\",\"host.docker.internal\",\"json-schema.org\",\"json.schemastore.org\",\"keyserver.ubuntu.com\",\"lfs.github.com\",\"objects.githubusercontent.com\",\"ocsp.digicert.com\",\"ocsp.geotrust.com\",\"ocsp.globalsign.com\",\"ocsp.identrust.com\",\"ocsp.sectigo.com\",\"ocsp.ssl.com\",\"ocsp.thawte.com\",\"ocsp.usertrust.com\",\"ocsp.verisign.com\",\"packagecloud.io\",\"packages.cloud.google.com\",\"packages.microsoft.com\",\"playwright.download.prss.microsoft.com\",\"ppa.launchpad.net\",\"pypi.org\",\"raw.githubusercontent.com\",\"registry.npmjs.org\",\"s.symcb.com\",\"s.symcd.com\",\"security.ubuntu.com\",\"sentry.io\",\"statsig.anthropic.com\",\"ts-crl.ws.symantec.com\",\"ts-ocsp.ws.symantec.com\",\"www.googleapis.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":2,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS},\"models\":{\"agent\":[\"sonnet-6x\",\"gpt-5.4\",\"gpt-5.3\",\"gemini-pro\",\"any\"],\"antigravity\":[\"copilot/antigravity*\",\"google/antigravity*\",\"gemini/antigravity*\"],\"any\":[\"copilot/*\",\"anthropic/*\",\"openai/*\",\"google/*\",\"gemini/*\"],\"claude\":[\"agent\"],\"codex\":[\"agent\"],\"coding\":[\"copilot/gpt-5*codex*\",\"openai/gpt-5*codex*\",\"gpt-5-codex\"],\"computer-use\":[\"copilot/*computer-use*\",\"google/*computer-use*\",\"gemini/*computer-use*\",\"openai/*computer-use*\"],\"copilot\":[\"agent\"],\"deep-research\":[\"copilot/deep-research*\",\"copilot/o3-deep-research*\",\"copilot/o4-mini-deep-research*\",\"google/deep-research*\",\"gemini/deep-research*\",\"openai/o3-deep-research*\",\"openai/o4-mini-deep-research*\"],\"gemini\":[\"agent\"],\"gemini-3-flash\":[\"copilot/gemini-3*flash*\",\"google/gemini-3*flash*\",\"gemini/gemini-3*flash*\"],\"gemini-3-pro\":[\"copilot/gemini-3*pro*\",\"google/gemini-3*pro*\",\"google/nano-banana*\",\"gemini/gemini-3*pro*\"],\"gemini-3.1-flash\":[\"copilot/gemini-3.1*flash*\",\"google/gemini-3.1*flash*\",\"gemini/gemini-3.1*flash*\"],\"gemini-3.1-pro\":[\"copilot/gemini-3.1*pro*\",\"google/gemini-3.1*pro*\",\"gemini/gemini-3.1*pro*\"],\"gemini-3.5-flash\":[\"copilot/gemini-3.5*flash*\",\"google/gemini-3.5*flash*\",\"gemini/gemini-3.5*flash*\"],\"gemini-flash\":[\"copilot/gemini-*flash*\",\"google/gemini-*flash*\",\"gemini/gemini-*flash*\"],\"gemini-flash-lite\":[\"copilot/gemini-*flash*lite*\",\"google/gemini-*flash*lite*\",\"gemini/gemini-*flash*lite*\"],\"gemini-pro\":[\"copilot/gemini-*pro*\",\"google/gemini-*pro*\",\"gemini/gemini-*pro*\"],\"gemma\":[\"copilot/gemma*\",\"google/gemma*\",\"gemini/gemma*\"],\"gpt-5\":[\"copilot/gpt-5*\",\"openai/gpt-5*\"],\"gpt-5-codex\":[\"copilot/gpt-5*codex*\",\"openai/gpt-5*codex*\"],\"gpt-5-mini\":[\"copilot/gpt-5*mini*\",\"openai/gpt-5*mini*\"],\"gpt-5-nano\":[\"copilot/gpt-5*nano*\",\"openai/gpt-5*nano*\"],\"gpt-5-pro\":[\"copilot/gpt-5*pro*\",\"openai/gpt-5*pro*\"],\"gpt-5.2\":[\"copilot/gpt-5.2*\",\"openai/gpt-5.2*\"],\"gpt-5.3\":[\"copilot/gpt-5.3*\",\"openai/gpt-5.3*\"],\"gpt-5.4\":[\"copilot/gpt-5.4*\",\"openai/gpt-5.4*\"],\"gpt-5.5\":[\"copilot/gpt-5.5*\",\"openai/gpt-5.5*\"],\"haiku\":[\"copilot/*haiku*\",\"anthropic/*haiku*\"],\"large\":[\"sonnet\",\"gpt-5-pro\",\"gpt-5\",\"gemini-pro\"],\"mai-code\":[\"copilot/MAI-Code*\",\"copilot/mai-code*\",\"openai/MAI-Code*\"],\"mini\":[\"haiku\",\"gpt-5-mini\",\"gpt-5-nano\",\"gemini-flash-lite\"],\"nano-banana\":[\"copilot/nano-banana*\",\"google/nano-banana*\",\"gemini/nano-banana*\"],\"opus\":[\"copilot/*opus*\",\"anthropic/*opus*\"],\"opusplan\":[\"opus?effort=high\"],\"reasoning\":[\"copilot/o1*\",\"copilot/o3*\",\"copilot/o4*\",\"openai/o1*\",\"openai/o3*\",\"openai/o4*\"],\"robotics\":[\"copilot/*robotics*\",\"google/*robotics*\",\"gemini/*robotics*\"],\"small\":[\"mini\"],\"small-agent\":[\"haiku\",\"gpt-5-mini\",\"gemini-flash\"],\"sonnet\":[\"copilot/*sonnet*\",\"anthropic/*sonnet*\"],\"sonnet-6x\":[\"copilot/*sonnet-4.5*\",\"copilot/*sonnet-4.6*\",\"copilot/*sonnet-4-5-*\",\"anthropic/*sonnet-4-5-*\",\"copilot/*sonnet-4-6*\",\"anthropic/*sonnet-4-6*\"],\"summarization\":[\"haiku\",\"gpt-5-mini\",\"gemini-flash-lite\",\"mini\"],\"vision\":[\"copilot/gemini-*image*\",\"gemini/gemini-*image*\",\"copilot/gemini-*flash*\",\"gemini/gemini-*flash*\"]}},\"container\":{\"imageTag\":\"0.27.2,squid=sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591,agent=sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6,api-proxy=sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4,cli-proxy=sha256:02f3ec08f32dc26c5427920c6a2e2f3036238fce44802f2f11ef49ed8621b5d0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json" + GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs" cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json" GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS="" @@ -822,7 +838,7 @@ jobs: GH_AW_PHASE: agent GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }} - GH_AW_VERSION: v0.79.8 + GH_AW_VERSION: v0.79.6 GITHUB_AW: true GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md GITHUB_WORKSPACE: ${{ github.workspace }} @@ -998,7 +1014,7 @@ jobs: - verify_token_usage if: > always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true' || - needs.activation.outputs.stale_lock_file_failed == 'true' || needs.activation.outputs.daily_ai_credits_exceeded == 'true') + needs.activation.outputs.stale_lock_file_failed == 'true' || needs.activation.outputs.daily_effective_workflow_exceeded == 'true') runs-on: ubuntu-slim permissions: contents: read @@ -1017,7 +1033,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 + uses: github/gh-aw-actions/setup@5c2fe865bb4dc46e1450f6ee0d0541d759aea73a # v0.79.6 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} @@ -1155,9 +1171,9 @@ jobs: GH_AW_ENGINE_API_HOSTS: "api.anthropic.com" GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }} GH_AW_STALE_LOCK_FILE_FAILED: ${{ needs.activation.outputs.stale_lock_file_failed }} - GH_AW_DAILY_AI_CREDITS_EXCEEDED: ${{ needs.activation.outputs.daily_ai_credits_exceeded }} - GH_AW_DAILY_AI_CREDITS_TOTAL_EFFECTIVE_TOKENS: ${{ needs.activation.outputs.daily_ai_credits_total_effective_tokens }} - GH_AW_DAILY_AI_CREDITS_THRESHOLD: ${{ needs.activation.outputs.daily_ai_credits_threshold }} + GH_AW_DAILY_EFFECTIVE_WORKFLOW_EXCEEDED: ${{ needs.activation.outputs.daily_effective_workflow_exceeded }} + GH_AW_DAILY_EFFECTIVE_WORKFLOW_TOTAL_EFFECTIVE_TOKENS: ${{ needs.activation.outputs.daily_effective_workflow_total_effective_tokens }} + GH_AW_DAILY_EFFECTIVE_WORKFLOW_THRESHOLD: ${{ needs.activation.outputs.daily_effective_workflow_threshold }} GH_AW_SAFE_OUTPUT_MESSAGES: "{\"runSuccess\":\"✅ [{workflow_name}]({run_url}) passed\",\"runFailure\":\"❌ [{workflow_name}]({run_url}) {status}\"}" GH_AW_GROUP_REPORTS: "false" GH_AW_FAILURE_REPORT_AS_ISSUE: "true" @@ -1227,7 +1243,7 @@ jobs: steps: - name: Setup Scripts id: setup - uses: github/gh-aw-actions/setup@c0338fef4749d08c21f8f975fb0e37efa17dda47 # v0.79.8 + uses: github/gh-aw-actions/setup@5c2fe865bb4dc46e1450f6ee0d0541d759aea73a # v0.79.6 with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} diff --git a/.github/workflows/smoke-claude.md b/.github/workflows/smoke-claude.md index 43f3eb940..5b1b1c538 100644 --- a/.github/workflows/smoke-claude.md +++ b/.github/workflows/smoke-claude.md @@ -136,6 +136,15 @@ post-steps: # Smoke Test: Claude Engine Validation + + All data is pre-computed. Read `/tmp/gh-aw/agent/final-result.json` (one bash call: `cat /tmp/gh-aw/agent/final-result.json`). The JSON contains: `result` (PASS/FAIL), `api_status`, `gh_check`, `file_status`, `event`, `pr_number`. diff --git a/containers/agent/Dockerfile b/containers/agent/Dockerfile index 386e157a5..1e1bb1e4d 100644 --- a/containers/agent/Dockerfile +++ b/containers/agent/Dockerfile @@ -32,29 +32,42 @@ RUN if getent hosts azure.archive.ubuntu.com >/dev/null 2>&1; then \ # Note: Some packages may already exist in runner-like base images, apt handles this gracefully # apt_update_retry: retries up to 3 times with backoff; if all fail, reverts to archive.ubuntu.com RUN set -eux; \ - apt_update_retry() { \ - local i; for i in 1 2 3; do \ - rm -rf /var/lib/apt/lists/* && apt-get update 2>&1 | tee /tmp/apt-update.log && \ - if ! grep -q "Failed to fetch" /tmp/apt-update.log; then return 0; fi; \ - echo "apt-get update attempt $i/3 had fetch failures, retrying in $((i*10))s..." >&2; sleep $((i*10)); \ - done; \ - echo "All apt-get update retries failed, falling back to archive.ubuntu.com..." >&2; \ + force_archive_mirror() { \ + echo "Falling back to archive.ubuntu.com mirror..." >&2; \ if [ -f /etc/apt/sources.list ]; then \ sed -i 's|http://azure.archive.ubuntu.com|http://archive.ubuntu.com|g' /etc/apt/sources.list; \ sed -i 's|http://security.ubuntu.com|http://archive.ubuntu.com|g' /etc/apt/sources.list 2>/dev/null || true; \ fi; \ if [ -d /etc/apt/sources.list.d ]; then \ find /etc/apt/sources.list.d -name '*.sources' -exec \ - sed -i 's|http://azure.archive.ubuntu.com|http://archive.ubuntu.com|g' {} + 2>/dev/null || true; \ + sed -i -e 's|http://azure.archive.ubuntu.com|http://archive.ubuntu.com|g' \ + -e 's|http://security.ubuntu.com|http://archive.ubuntu.com|g' {} + 2>/dev/null || true; \ fi; \ rm -rf /var/lib/apt/lists/* && apt-get update; \ }; \ + apt_update_retry() { \ + local i; for i in 1 2 3; do \ + rm -rf /var/lib/apt/lists/*; \ + if apt-get update > /tmp/apt-update.log 2>&1; then \ + cat /tmp/apt-update.log; \ + if ! grep -q "Failed to fetch" /tmp/apt-update.log; then return 0; fi; \ + else \ + cat /tmp/apt-update.log; \ + fi; \ + echo "apt-get update attempt $i/3 failed or had fetch failures, retrying in $((i*10))s..." >&2; sleep $((i*10)); \ + done; \ + echo "All apt-get update retries failed, falling back to archive.ubuntu.com..." >&2; \ + force_archive_mirror; \ + }; \ + apt_install_retry() { \ + apt-get install -y --no-install-recommends "$@" && return 0; \ + echo "apt-get install failed (likely mirror fetch timeout), forcing archive.ubuntu.com and retrying..." >&2; \ + force_archive_mirror; \ + apt-get install -y --no-install-recommends "$@"; \ + }; \ PKGS="iptables curl ca-certificates git gh gnupg dnsutils net-tools netcat-openbsd gosu libcap2-bin"; \ apt_update_retry && \ - ( apt-get install -y --no-install-recommends $PKGS || \ - (echo "apt-get install failed, retrying with fresh package index..." && \ - apt_update_retry && \ - apt-get install -y --no-install-recommends $PKGS) ) && \ + apt_install_retry $PKGS && \ # Prefer system binaries over runner toolcache (e.g., act images) for Node checks. export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH" && \ # Install Node.js 22 from NodeSource @@ -83,53 +96,81 @@ RUN set -eux; \ # These packages are commonly needed by workflows and avoid agents spending time installing them manually # See: https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md RUN set -eux; \ - apt_update_retry() { \ - local i; for i in 1 2 3; do \ - rm -rf /var/lib/apt/lists/* && apt-get update 2>&1 | tee /tmp/apt-update.log && \ - if ! grep -q "Failed to fetch" /tmp/apt-update.log; then return 0; fi; \ - echo "apt-get update attempt $i/3 had fetch failures, retrying in $((i*10))s..." >&2; sleep $((i*10)); \ - done; \ - echo "All apt-get update retries failed, falling back to archive.ubuntu.com..." >&2; \ + force_archive_mirror() { \ + echo "Falling back to archive.ubuntu.com mirror..." >&2; \ if [ -f /etc/apt/sources.list ]; then \ sed -i 's|http://azure.archive.ubuntu.com|http://archive.ubuntu.com|g' /etc/apt/sources.list; \ + sed -i 's|http://security.ubuntu.com|http://archive.ubuntu.com|g' /etc/apt/sources.list 2>/dev/null || true; \ fi; \ if [ -d /etc/apt/sources.list.d ]; then \ find /etc/apt/sources.list.d -name '*.sources' -exec \ - sed -i 's|http://azure.archive.ubuntu.com|http://archive.ubuntu.com|g' {} + 2>/dev/null || true; \ + sed -i -e 's|http://azure.archive.ubuntu.com|http://archive.ubuntu.com|g' \ + -e 's|http://security.ubuntu.com|http://archive.ubuntu.com|g' {} + 2>/dev/null || true; \ fi; \ rm -rf /var/lib/apt/lists/* && apt-get update; \ }; \ + apt_update_retry() { \ + local i; for i in 1 2 3; do \ + rm -rf /var/lib/apt/lists/*; \ + if apt-get update > /tmp/apt-update.log 2>&1; then \ + cat /tmp/apt-update.log; \ + if ! grep -q "Failed to fetch" /tmp/apt-update.log; then return 0; fi; \ + else \ + cat /tmp/apt-update.log; \ + fi; \ + echo "apt-get update attempt $i/3 failed or had fetch failures, retrying in $((i*10))s..." >&2; sleep $((i*10)); \ + done; \ + echo "All apt-get update retries failed, falling back to archive.ubuntu.com..." >&2; \ + force_archive_mirror; \ + }; \ + apt_install_retry() { \ + apt-get install -y --no-install-recommends "$@" && return 0; \ + echo "apt-get install failed (likely mirror fetch timeout), forcing archive.ubuntu.com and retrying..." >&2; \ + force_archive_mirror; \ + apt-get install -y --no-install-recommends "$@"; \ + }; \ PARITY_PKGS="libgdiplus libev-dev libssl-dev php-intl php-gd"; \ apt_update_retry && \ - ( apt-get install -y --no-install-recommends $PARITY_PKGS || \ - (echo "apt-get install failed, retrying with fresh package index..." && \ - apt_update_retry && \ - apt-get install -y --no-install-recommends $PARITY_PKGS) ) && \ + apt_install_retry $PARITY_PKGS && \ rm -rf /var/lib/apt/lists/* # Upgrade all packages to pick up security patches # Addresses CVE-2023-44487 (HTTP/2 Rapid Reset) and other known vulnerabilities # Retry logic handles transient mirror sync failures during apt-get update -RUN apt_update_retry() { \ - local i; for i in 1 2 3; do \ - rm -rf /var/lib/apt/lists/* && apt-get update 2>&1 | tee /tmp/apt-update.log && \ - if ! grep -q "Failed to fetch" /tmp/apt-update.log; then return 0; fi; \ - echo "apt-get update attempt $i/3 had fetch failures, retrying in $((i*10))s..." >&2; sleep $((i*10)); \ - done; \ - echo "All apt-get update retries failed, falling back to archive.ubuntu.com..." >&2; \ +RUN force_archive_mirror() { \ + echo "Falling back to archive.ubuntu.com mirror..." >&2; \ if [ -f /etc/apt/sources.list ]; then \ sed -i 's|http://azure.archive.ubuntu.com|http://archive.ubuntu.com|g' /etc/apt/sources.list; \ + sed -i 's|http://security.ubuntu.com|http://archive.ubuntu.com|g' /etc/apt/sources.list 2>/dev/null || true; \ fi; \ if [ -d /etc/apt/sources.list.d ]; then \ find /etc/apt/sources.list.d -name '*.sources' -exec \ - sed -i 's|http://azure.archive.ubuntu.com|http://archive.ubuntu.com|g' {} + 2>/dev/null || true; \ + sed -i -e 's|http://azure.archive.ubuntu.com|http://archive.ubuntu.com|g' \ + -e 's|http://security.ubuntu.com|http://archive.ubuntu.com|g' {} + 2>/dev/null || true; \ fi; \ rm -rf /var/lib/apt/lists/* && apt-get update; \ }; \ + apt_update_retry() { \ + local i; for i in 1 2 3; do \ + rm -rf /var/lib/apt/lists/*; \ + if apt-get update > /tmp/apt-update.log 2>&1; then \ + cat /tmp/apt-update.log; \ + if ! grep -q "Failed to fetch" /tmp/apt-update.log; then return 0; fi; \ + else \ + cat /tmp/apt-update.log; \ + fi; \ + echo "apt-get update attempt $i/3 failed or had fetch failures, retrying in $((i*10))s..." >&2; sleep $((i*10)); \ + done; \ + echo "All apt-get update retries failed, falling back to archive.ubuntu.com..." >&2; \ + force_archive_mirror; \ + }; \ + apt_upgrade_retry() { \ + apt-get upgrade -y && return 0; \ + echo "apt-get upgrade failed (likely mirror fetch timeout), forcing archive.ubuntu.com and retrying..." >&2; \ + force_archive_mirror && apt-get upgrade -y; \ + }; \ apt_update_retry && \ - apt-get upgrade -y && rm -rf /var/lib/apt/lists/* || \ - (echo "apt-get upgrade failed, retrying with fresh package index..." && \ - apt_update_retry && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*) + apt_upgrade_retry && rm -rf /var/lib/apt/lists/* # Create non-root user with UID/GID matching host user # This allows the user command to run with appropriate permissions @@ -171,11 +212,28 @@ RUN chmod +x /usr/local/bin/setup-iptables.sh /usr/local/bin/entrypoint.sh /usr/ # __fprintf_chk) so the resulting .so loads on musl-based hosts (Alpine/ARC runners) COPY one-shot-token/one-shot-token.c /tmp/one-shot-token.c RUN set -eux; \ + force_archive_mirror() { \ + echo "Falling back to archive.ubuntu.com mirror..." >&2; \ + if [ -f /etc/apt/sources.list ]; then \ + sed -i 's|http://azure.archive.ubuntu.com|http://archive.ubuntu.com|g' /etc/apt/sources.list; \ + sed -i 's|http://security.ubuntu.com|http://archive.ubuntu.com|g' /etc/apt/sources.list 2>/dev/null || true; \ + fi; \ + if [ -d /etc/apt/sources.list.d ]; then \ + find /etc/apt/sources.list.d -name '*.sources' -exec \ + sed -i -e 's|http://azure.archive.ubuntu.com|http://archive.ubuntu.com|g' \ + -e 's|http://security.ubuntu.com|http://archive.ubuntu.com|g' {} + 2>/dev/null || true; \ + fi; \ + rm -rf /var/lib/apt/lists/* && apt-get update; \ + }; \ + apt_install_retry() { \ + apt-get install -y --no-install-recommends "$@" && return 0; \ + echo "apt-get install failed (likely mirror fetch timeout), forcing archive.ubuntu.com and retrying..." >&2; \ + force_archive_mirror; \ + apt-get install -y --no-install-recommends "$@"; \ + }; \ BUILD_PKGS="gcc libc6-dev binutils"; \ apt-get update && \ - ( apt-get install -y --no-install-recommends $BUILD_PKGS || \ - (rm -rf /var/lib/apt/lists/* && apt-get update && \ - apt-get install -y --no-install-recommends $BUILD_PKGS) ) && \ + apt_install_retry $BUILD_PKGS && \ gcc -shared -fPIC -fvisibility=hidden -O2 -Wall -s \ -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=0 \ -o /usr/local/lib/one-shot-token.so /tmp/one-shot-token.c -ldl -lpthread && \ diff --git a/containers/cli-proxy/server.test.js b/containers/cli-proxy/server.test.js index aaf6256ca..f56b0d409 100644 --- a/containers/cli-proxy/server.test.js +++ b/containers/cli-proxy/server.test.js @@ -270,6 +270,10 @@ describe('buildExecEnv', () => { }); describe('runGhCommand', () => { + // These tests spawn the real `gh` binary, so they are sensitive to runner + // contention. Jest's 5s default is too tight under load; give them headroom. + const REAL_GH_TIMEOUT_MS = 30000; + it('should return stdout, stderr, and exitCode on success', async () => { const result = await runGhCommand(['--version'], process.env, null); expect(result).toHaveProperty('stdout'); @@ -277,12 +281,12 @@ describe('runGhCommand', () => { expect(result).toHaveProperty('exitCode'); expect(typeof result.stdout).toBe('string'); expect(typeof result.exitCode).toBe('number'); - }); + }, REAL_GH_TIMEOUT_MS); it('should return non-zero exitCode for invalid gh subcommand', async () => { const result = await runGhCommand(['__nonexistent_subcommand__'], process.env, null); expect(result.exitCode).not.toBe(0); - }); + }, REAL_GH_TIMEOUT_MS); it('should return non-zero exitCode when gh binary is not found', async () => { // Temporarily remove gh from PATH @@ -295,5 +299,5 @@ describe('runGhCommand', () => { } finally { process.env.PATH = savedPath; } - }); + }, REAL_GH_TIMEOUT_MS); }); diff --git a/containers/squid/Dockerfile b/containers/squid/Dockerfile index 2ce30a67b..86b39e4a0 100644 --- a/containers/squid/Dockerfile +++ b/containers/squid/Dockerfile @@ -22,28 +22,43 @@ RUN if getent hosts azure.archive.ubuntu.com >/dev/null 2>&1; then \ # Install additional tools for debugging, healthcheck, and SSL Bump # apt_update_retry: retries up to 3 times with backoff; if all fail, reverts to archive.ubuntu.com RUN set -eux; \ - apt_update_retry() { \ - local i; for i in 1 2 3; do \ - rm -rf /var/lib/apt/lists/* && apt-get update 2>&1 | tee /tmp/apt-update.log && \ - if ! grep -q "Failed to fetch" /tmp/apt-update.log; then return 0; fi; \ - echo "apt-get update attempt $i/3 had fetch failures, retrying in $((i*10))s..." >&2; sleep $((i*10)); \ - done; \ - echo "All apt-get update retries failed, falling back to archive.ubuntu.com..." >&2; \ + force_archive_mirror() { \ + echo "Falling back to archive.ubuntu.com mirror..." >&2; \ if [ -f /etc/apt/sources.list ]; then \ sed -i 's|http://azure.archive.ubuntu.com|http://archive.ubuntu.com|g' /etc/apt/sources.list; \ + sed -i 's|http://security.ubuntu.com|http://archive.ubuntu.com|g' /etc/apt/sources.list 2>/dev/null || true; \ fi; \ if [ -d /etc/apt/sources.list.d ]; then \ find /etc/apt/sources.list.d -name '*.sources' -exec \ - sed -i 's|http://azure.archive.ubuntu.com|http://archive.ubuntu.com|g' {} + 2>/dev/null || true; \ + sed -i -e 's|http://azure.archive.ubuntu.com|http://archive.ubuntu.com|g' \ + -e 's|http://security.ubuntu.com|http://archive.ubuntu.com|g' {} + 2>/dev/null || true; \ fi; \ rm -rf /var/lib/apt/lists/* && apt-get update; \ }; \ + apt_update_retry() { \ + local i; for i in 1 2 3; do \ + rm -rf /var/lib/apt/lists/*; \ + if apt-get update > /tmp/apt-update.log 2>&1; then \ + cat /tmp/apt-update.log; \ + if ! grep -q "Failed to fetch" /tmp/apt-update.log; then return 0; fi; \ + else \ + cat /tmp/apt-update.log; \ + fi; \ + echo "apt-get update attempt $i/3 failed or had fetch failures, retrying in $((i*10))s..." >&2; sleep $((i*10)); \ + done; \ + echo "All apt-get update retries failed, falling back to archive.ubuntu.com..." >&2; \ + force_archive_mirror; \ + }; \ + apt_install_retry() { \ + apt-get install -y --no-install-recommends "$@" && return 0; \ + echo "apt-get install failed (likely mirror fetch timeout), forcing archive.ubuntu.com and retrying..." >&2; \ + force_archive_mirror; \ + apt-get install -y --no-install-recommends "$@"; \ + }; \ PKGS="curl dnsutils net-tools netcat-openbsd openssl squid-openssl"; \ apt_update_retry && \ apt-get install -y --only-upgrade gpgv && \ - ( apt-get install -y --no-install-recommends $PKGS || \ - (apt_update_retry && \ - apt-get install -y --no-install-recommends $PKGS) ) && \ + apt_install_retry $PKGS && \ rm -rf /var/lib/apt/lists/* # Create log directory and SSL database directory, ensure proxy user owns them