Copilot Agent PR Analysis #157
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # ___ _ _ | |
| # / _ \ | | (_) | |
| # | |_| | __ _ ___ _ __ | |_ _ ___ | |
| # | _ |/ _` |/ _ \ '_ \| __| |/ __| | |
| # | | | | (_| | __/ | | | |_| | (__ | |
| # \_| |_/\__, |\___|_| |_|\__|_|\___| | |
| # __/ | | |
| # _ _ |___/ | |
| # | | | | / _| | | |
| # | | | | ___ _ __ _ __| |_| | _____ ____ | |
| # | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___| | |
| # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ | |
| # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ | |
| # | |
| # This file was automatically generated by gh-aw. DO NOT EDIT. | |
| # | |
| # To update this file, edit the corresponding .md file and run: | |
| # gh aw compile | |
| # For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md | |
| # | |
| # Analyzes GitHub Copilot agent usage patterns in pull requests to provide insights on agent effectiveness and behavior | |
| # | |
| # Resolved workflow manifest: | |
| # Imports: | |
| # - shared/copilot-pr-data-fetch.md | |
| # - shared/jqschema.md | |
| # - shared/mood.md | |
| # - shared/reporting.md | |
| # | |
| # frontmatter-hash: 9877d15bafd4f47752568b09abbd6d4b52018b23da94ca30b29c95b3670f0cc8 | |
| name: "Copilot Agent PR Analysis" | |
| "on": | |
| schedule: | |
| - cron: "19 5 * * *" | |
| # Friendly format: daily (scattered) | |
| workflow_dispatch: | |
| permissions: {} | |
| concurrency: | |
| group: "gh-aw-${{ github.workflow }}" | |
| run-name: "Copilot Agent PR Analysis" | |
| jobs: | |
| activation: | |
| runs-on: ubuntu-slim | |
| permissions: | |
| contents: read | |
| outputs: | |
| comment_id: "" | |
| comment_repo: "" | |
| steps: | |
| - name: Checkout actions folder | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| sparse-checkout: | | |
| actions | |
| persist-credentials: false | |
| - name: Setup Scripts | |
| uses: ./actions/setup | |
| with: | |
| destination: /opt/gh-aw/actions | |
| - name: Check workflow file timestamps | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| GH_AW_WORKFLOW_FILE: "copilot-agent-analysis.lock.yml" | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); | |
| await main(); | |
| agent: | |
| needs: activation | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| issues: read | |
| pull-requests: read | |
| concurrency: | |
| group: "gh-aw-claude-${{ github.workflow }}" | |
| env: | |
| DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
| GH_AW_ASSETS_ALLOWED_EXTS: "" | |
| GH_AW_ASSETS_BRANCH: "" | |
| GH_AW_ASSETS_MAX_SIZE_KB: 0 | |
| GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs | |
| GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl | |
| GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json | |
| GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json | |
| outputs: | |
| checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} | |
| has_patch: ${{ steps.collect_output.outputs.has_patch }} | |
| model: ${{ steps.generate_aw_info.outputs.model }} | |
| output: ${{ steps.collect_output.outputs.output }} | |
| output_types: ${{ steps.collect_output.outputs.output_types }} | |
| secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} | |
| steps: | |
| - name: Checkout actions folder | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| sparse-checkout: | | |
| actions | |
| persist-credentials: false | |
| - name: Setup Scripts | |
| uses: ./actions/setup | |
| with: | |
| destination: /opt/gh-aw/actions | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Create gh-aw temp directory | |
| run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh | |
| - name: Setup jq utilities directory | |
| run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" | |
| - env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| name: Fetch Copilot PR data | |
| run: "# Create output directories\nmkdir -p /tmp/gh-aw/pr-data\nmkdir -p /tmp/gh-aw/cache-memory\n\n# Get today's date for cache identification\nTODAY=$(date '+%Y-%m-%d')\nCACHE_DIR=\"/tmp/gh-aw/cache-memory\"\n\n# Check if cached data exists from today\nif [ -f \"$CACHE_DIR/copilot-prs-${TODAY}.json\" ] && [ -s \"$CACHE_DIR/copilot-prs-${TODAY}.json\" ]; then\n echo \"✓ Found cached PR data from ${TODAY}\"\n cp \"$CACHE_DIR/copilot-prs-${TODAY}.json\" /tmp/gh-aw/pr-data/copilot-prs.json\n \n # Regenerate schema if missing\n if [ ! -f \"$CACHE_DIR/copilot-prs-${TODAY}-schema.json\" ]; then\n /tmp/gh-aw/jqschema.sh < /tmp/gh-aw/pr-data/copilot-prs.json > \"$CACHE_DIR/copilot-prs-${TODAY}-schema.json\"\n fi\n cp \"$CACHE_DIR/copilot-prs-${TODAY}-schema.json\" /tmp/gh-aw/pr-data/copilot-prs-schema.json\n \n echo \"Using cached data from ${TODAY}\"\n echo \"Total PRs in cache: $(jq 'length' /tmp/gh-aw/pr-data/copilot-prs.json)\"\nelse\n echo \"⬇ Downloading fresh PR data...\"\n \n # Calculate date 30 days ago\n DATE_30_DAYS_AGO=$(date -d '30 days ago' '+%Y-%m-%d' 2>/dev/null || date -v-30d '+%Y-%m-%d')\n\n # Search for PRs from copilot/* branches in the last 30 days using gh CLI\n # Using branch prefix search (head:copilot/) instead of author for reliability\n echo \"Fetching Copilot PRs from the last 30 days...\"\n gh pr list --repo ${{ github.repository }} \\\n --search \"head:copilot/ created:>=${DATE_30_DAYS_AGO}\" \\\n --state all \\\n --json number,title,author,headRefName,createdAt,state,url,body,labels,updatedAt,closedAt,mergedAt \\\n --limit 1000 \\\n > /tmp/gh-aw/pr-data/copilot-prs.json\n\n # Generate schema for reference\n /tmp/gh-aw/jqschema.sh < /tmp/gh-aw/pr-data/copilot-prs.json > /tmp/gh-aw/pr-data/copilot-prs-schema.json\n\n # Store in cache with today's date\n cp /tmp/gh-aw/pr-data/copilot-prs.json \"$CACHE_DIR/copilot-prs-${TODAY}.json\"\n cp /tmp/gh-aw/pr-data/copilot-prs-schema.json \"$CACHE_DIR/copilot-prs-${TODAY}-schema.json\"\n\n echo \"✓ PR data saved to cache: copilot-prs-${TODAY}.json\"\n echo \"Total PRs found: $(jq 'length' /tmp/gh-aw/pr-data/copilot-prs.json)\"\nfi\n\n# Always ensure data is available at expected locations for backward compatibility\necho \"PR data available at: /tmp/gh-aw/pr-data/copilot-prs.json\"\necho \"Schema available at: /tmp/gh-aw/pr-data/copilot-prs-schema.json\"" | |
| # Cache memory file share configuration from frontmatter processed below | |
| - name: Create cache-memory directory | |
| run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh | |
| - name: Restore cache-memory file share data | |
| uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| key: copilot-pr-data-${{ github.run_id }} | |
| path: /tmp/gh-aw/cache-memory | |
| restore-keys: | | |
| copilot-pr-data- | |
| # Repo memory git-based storage configuration from frontmatter processed below | |
| - name: Clone repo-memory branch (default) | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| BRANCH_NAME: memory/copilot-agent-analysis | |
| TARGET_REPO: ${{ github.repository }} | |
| MEMORY_DIR: /tmp/gh-aw/repo-memory/default | |
| CREATE_ORPHAN: true | |
| run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh | |
| - name: Configure Git credentials | |
| env: | |
| REPO_NAME: ${{ github.repository }} | |
| SERVER_URL: ${{ github.server_url }} | |
| run: | | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| git config --global user.name "github-actions[bot]" | |
| # Re-authenticate git with GitHub token | |
| SERVER_URL_STRIPPED="${SERVER_URL#https://}" | |
| git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" | |
| echo "Git configured with standard GitHub Actions identity" | |
| - name: Checkout PR branch | |
| id: checkout-pr | |
| if: | | |
| github.event.pull_request | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
| with: | |
| github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); | |
| await main(); | |
| - name: Generate agentic run info | |
| id: generate_aw_info | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const awInfo = { | |
| engine_id: "claude", | |
| engine_name: "Claude Code", | |
| model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", | |
| version: "", | |
| agent_version: "2.1.39", | |
| workflow_name: "Copilot Agent PR Analysis", | |
| experimental: false, | |
| supports_tools_allowlist: true, | |
| supports_http_transport: true, | |
| run_id: context.runId, | |
| run_number: context.runNumber, | |
| run_attempt: process.env.GITHUB_RUN_ATTEMPT, | |
| repository: context.repo.owner + '/' + context.repo.repo, | |
| ref: context.ref, | |
| sha: context.sha, | |
| actor: context.actor, | |
| event_name: context.eventName, | |
| staged: false, | |
| allowed_domains: ["defaults","github"], | |
| firewall_enabled: true, | |
| awf_version: "v0.16.2", | |
| awmg_version: "", | |
| steps: { | |
| firewall: "squid" | |
| }, | |
| created_at: new Date().toISOString() | |
| }; | |
| // Write to /tmp/gh-aw directory to avoid inclusion in PR | |
| const tmpPath = '/tmp/gh-aw/aw_info.json'; | |
| fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2)); | |
| console.log('Generated aw_info.json at:', tmpPath); | |
| console.log(JSON.stringify(awInfo, null, 2)); | |
| // Set model as output for reuse in other steps/jobs | |
| core.setOutput('model', awInfo.model); | |
| - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret | |
| id: validate-secret | |
| run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code | |
| env: | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| - name: Setup Node.js | |
| uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 | |
| with: | |
| node-version: '24' | |
| package-manager-cache: false | |
| - name: Install awf binary | |
| run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.16.2 | |
| - name: Install Claude Code CLI | |
| run: npm install -g --silent @anthropic-ai/claude-code@2.1.39 | |
| - name: Determine automatic lockdown mode for GitHub MCP server | |
| id: determine-automatic-lockdown | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| with: | |
| script: | | |
| const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); | |
| await determineAutomaticLockdown(github, context, core); | |
| - name: Download container images | |
| run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.16.2 ghcr.io/github/gh-aw-firewall/squid:0.16.2 ghcr.io/github/gh-aw-mcpg:v0.1.4 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine | |
| - name: Write Safe Outputs Config | |
| run: | | |
| mkdir -p /opt/gh-aw/safeoutputs | |
| mkdir -p /tmp/gh-aw/safeoutputs | |
| mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs | |
| cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' | |
| {"create_discussion":{"expires":168,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} | |
| GH_AW_SAFE_OUTPUTS_CONFIG_EOF | |
| cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' | |
| [ | |
| { | |
| "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-agent-analysis] \". Discussions will be created in category \"audits\".", | |
| "inputSchema": { | |
| "additionalProperties": false, | |
| "properties": { | |
| "body": { | |
| "description": "Discussion content in Markdown. Do NOT repeat the title as a heading since it already appears as the discussion's h1. Include all relevant context, findings, or questions.", | |
| "type": "string" | |
| }, | |
| "category": { | |
| "description": "Discussion category by name (e.g., 'General'), slug (e.g., 'general'), or ID. If omitted, uses the first available category. Category must exist in the repository.", | |
| "type": "string" | |
| }, | |
| "title": { | |
| "description": "Concise discussion title summarizing the topic. The title appears as the main heading, so keep it brief and descriptive.", | |
| "type": "string" | |
| } | |
| }, | |
| "required": [ | |
| "title", | |
| "body" | |
| ], | |
| "type": "object" | |
| }, | |
| "name": "create_discussion" | |
| }, | |
| { | |
| "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", | |
| "inputSchema": { | |
| "additionalProperties": false, | |
| "properties": { | |
| "alternatives": { | |
| "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", | |
| "type": "string" | |
| }, | |
| "reason": { | |
| "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", | |
| "type": "string" | |
| }, | |
| "tool": { | |
| "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", | |
| "type": "string" | |
| } | |
| }, | |
| "required": [ | |
| "reason" | |
| ], | |
| "type": "object" | |
| }, | |
| "name": "missing_tool" | |
| }, | |
| { | |
| "description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.", | |
| "inputSchema": { | |
| "additionalProperties": false, | |
| "properties": { | |
| "message": { | |
| "description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing').", | |
| "type": "string" | |
| } | |
| }, | |
| "required": [ | |
| "message" | |
| ], | |
| "type": "object" | |
| }, | |
| "name": "noop" | |
| }, | |
| { | |
| "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", | |
| "inputSchema": { | |
| "additionalProperties": false, | |
| "properties": { | |
| "alternatives": { | |
| "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", | |
| "type": "string" | |
| }, | |
| "context": { | |
| "description": "Additional context about the missing data or where it should come from (max 256 characters).", | |
| "type": "string" | |
| }, | |
| "data_type": { | |
| "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", | |
| "type": "string" | |
| }, | |
| "reason": { | |
| "description": "Explanation of why this data is needed to complete the task (max 256 characters).", | |
| "type": "string" | |
| } | |
| }, | |
| "required": [], | |
| "type": "object" | |
| }, | |
| "name": "missing_data" | |
| } | |
| ] | |
| GH_AW_SAFE_OUTPUTS_TOOLS_EOF | |
| cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' | |
| { | |
| "create_discussion": { | |
| "defaultMax": 1, | |
| "fields": { | |
| "body": { | |
| "required": true, | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 65000 | |
| }, | |
| "category": { | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 128 | |
| }, | |
| "repo": { | |
| "type": "string", | |
| "maxLength": 256 | |
| }, | |
| "title": { | |
| "required": true, | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 128 | |
| } | |
| } | |
| }, | |
| "missing_tool": { | |
| "defaultMax": 20, | |
| "fields": { | |
| "alternatives": { | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 512 | |
| }, | |
| "reason": { | |
| "required": true, | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 256 | |
| }, | |
| "tool": { | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 128 | |
| } | |
| } | |
| }, | |
| "noop": { | |
| "defaultMax": 1, | |
| "fields": { | |
| "message": { | |
| "required": true, | |
| "type": "string", | |
| "sanitize": true, | |
| "maxLength": 65000 | |
| } | |
| } | |
| } | |
| } | |
| GH_AW_SAFE_OUTPUTS_VALIDATION_EOF | |
| - name: Generate Safe Outputs MCP Server Config | |
| id: safe-outputs-config | |
| run: | | |
| # Generate a secure random API key (360 bits of entropy, 40+ chars) | |
| # Mask immediately to prevent timing vulnerabilities | |
| API_KEY=$(openssl rand -base64 45 | tr -d '/+=') | |
| echo "::add-mask::${API_KEY}" | |
| PORT=3001 | |
| # Set outputs for next steps | |
| { | |
| echo "safe_outputs_api_key=${API_KEY}" | |
| echo "safe_outputs_port=${PORT}" | |
| } >> "$GITHUB_OUTPUT" | |
| echo "Safe Outputs MCP server will run on port ${PORT}" | |
| - name: Start Safe Outputs MCP HTTP Server | |
| id: safe-outputs-start | |
| env: | |
| DEBUG: '*' | |
| GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} | |
| GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} | |
| GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json | |
| GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json | |
| GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs | |
| run: | | |
| # Environment variables are set above to prevent template injection | |
| export DEBUG | |
| export GH_AW_SAFE_OUTPUTS_PORT | |
| export GH_AW_SAFE_OUTPUTS_API_KEY | |
| export GH_AW_SAFE_OUTPUTS_TOOLS_PATH | |
| export GH_AW_SAFE_OUTPUTS_CONFIG_PATH | |
| export GH_AW_MCP_LOG_DIR | |
| bash /opt/gh-aw/actions/start_safe_outputs_server.sh | |
| - name: Start MCP gateway | |
| id: start-mcp-gateway | |
| env: | |
| GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} | |
| GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} | |
| GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} | |
| GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} | |
| GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -eo pipefail | |
| mkdir -p /tmp/gh-aw/mcp-config | |
| # Export gateway environment variables for MCP config and gateway script | |
| export MCP_GATEWAY_PORT="80" | |
| export MCP_GATEWAY_DOMAIN="host.docker.internal" | |
| MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') | |
| echo "::add-mask::${MCP_GATEWAY_API_KEY}" | |
| export MCP_GATEWAY_API_KEY | |
| export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads" | |
| mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}" | |
| export DEBUG="*" | |
| export GH_AW_ENGINE="claude" | |
| export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.4' | |
| cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh | |
| { | |
| "mcpServers": { | |
| "github": { | |
| "container": "ghcr.io/github/github-mcp-server:v0.30.3", | |
| "env": { | |
| "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", | |
| "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN", | |
| "GITHUB_READ_ONLY": "1", | |
| "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" | |
| } | |
| }, | |
| "safeoutputs": { | |
| "type": "http", | |
| "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", | |
| "headers": { | |
| "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" | |
| } | |
| } | |
| }, | |
| "gateway": { | |
| "port": $MCP_GATEWAY_PORT, | |
| "domain": "${MCP_GATEWAY_DOMAIN}", | |
| "apiKey": "${MCP_GATEWAY_API_KEY}", | |
| "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" | |
| } | |
| } | |
| GH_AW_MCP_CONFIG_EOF | |
| - name: Generate workflow overview | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| with: | |
| script: | | |
| const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); | |
| await generateWorkflowOverview(core); | |
| - name: Create prompt with built-in context | |
| env: | |
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | |
| GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} | |
| GH_AW_GITHUB_ACTOR: ${{ github.actor }} | |
| GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} | |
| GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} | |
| GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} | |
| GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} | |
| GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} | |
| GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} | |
| GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} | |
| run: | | |
| bash /opt/gh-aw/actions/create_prompt_first.sh | |
| cat << 'GH_AW_PROMPT_EOF' > "$GH_AW_PROMPT" | |
| <system> | |
| GH_AW_PROMPT_EOF | |
| cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" | |
| cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" | |
| cat "/opt/gh-aw/prompts/cache_memory_prompt.md" >> "$GH_AW_PROMPT" | |
| cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" | |
| --- | |
| ## Repo Memory Available | |
| You have access to a persistent repo memory folder at `/tmp/gh-aw/repo-memory/default/` where you can read and write files that are stored in a git branch. Historical agent performance metrics | |
| - **Read/Write Access**: You can freely read from and write to any files in this folder | |
| - **Git Branch Storage**: Files are stored in the `memory/copilot-agent-analysis` branch of the current repository | |
| - **Automatic Push**: Changes are automatically committed and pushed after the workflow completes | |
| - **Merge Strategy**: In case of conflicts, your changes (current version) win | |
| - **Persistence**: Files persist across workflow runs via git branch storage | |
| - **Allowed File Types**: Only the following file extensions are allowed: `.json`, `.jsonl`, `.txt`, `.md`, `.csv`. Files with other extensions will be rejected during validation. | |
| **Constraints:** | |
| - **Allowed Files**: Only files matching patterns: memory/copilot-agent-analysis/*.json, memory/copilot-agent-analysis/*.jsonl, memory/copilot-agent-analysis/*.csv, memory/copilot-agent-analysis/*.md | |
| - **Max File Size**: 102400 bytes (0.10 MB) per file | |
| - **Max File Count**: 100 files per commit | |
| Examples of what you can store: | |
| - `/tmp/gh-aw/repo-memory/default/notes.md` - general notes and observations | |
| - `/tmp/gh-aw/repo-memory/default/notes.txt` - plain text notes | |
| - `/tmp/gh-aw/repo-memory/default/state.json` - structured state data | |
| - `/tmp/gh-aw/repo-memory/default/history.jsonl` - activity history in JSON Lines format | |
| - `/tmp/gh-aw/repo-memory/default/data.csv` - tabular data | |
| - `/tmp/gh-aw/repo-memory/default/history/` - organized history files in subdirectories (with allowed file types) | |
| Feel free to create, read, update, and organize files in this folder as needed for your tasks, using only the allowed file types. | |
| <safe-outputs> | |
| <description>GitHub API Access Instructions</description> | |
| <important> | |
| The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations. | |
| </important> | |
| <instructions> | |
| To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. | |
| Discover available tools from the safeoutputs MCP server. | |
| **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. | |
| **Note**: If you made no other safe output tool calls during this workflow execution, call the "noop" tool to provide a status message indicating completion or that no actions were needed. | |
| </instructions> | |
| </safe-outputs> | |
| <github-context> | |
| The following GitHub context information is available for this workflow: | |
| {{#if __GH_AW_GITHUB_ACTOR__ }} | |
| - **actor**: __GH_AW_GITHUB_ACTOR__ | |
| {{/if}} | |
| {{#if __GH_AW_GITHUB_REPOSITORY__ }} | |
| - **repository**: __GH_AW_GITHUB_REPOSITORY__ | |
| {{/if}} | |
| {{#if __GH_AW_GITHUB_WORKSPACE__ }} | |
| - **workspace**: __GH_AW_GITHUB_WORKSPACE__ | |
| {{/if}} | |
| {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }} | |
| - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ | |
| {{/if}} | |
| {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }} | |
| - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ | |
| {{/if}} | |
| {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }} | |
| - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ | |
| {{/if}} | |
| {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }} | |
| - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__ | |
| {{/if}} | |
| {{#if __GH_AW_GITHUB_RUN_ID__ }} | |
| - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__ | |
| {{/if}} | |
| </github-context> | |
| GH_AW_PROMPT_EOF | |
| cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" | |
| </system> | |
| GH_AW_PROMPT_EOF | |
| cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" | |
| {{#runtime-import .github/workflows/shared/mood.md}} | |
| GH_AW_PROMPT_EOF | |
| cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" | |
| {{#runtime-import .github/workflows/shared/jqschema.md}} | |
| GH_AW_PROMPT_EOF | |
| cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" | |
| {{#runtime-import .github/workflows/shared/reporting.md}} | |
| GH_AW_PROMPT_EOF | |
| cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" | |
| {{#runtime-import .github/workflows/shared/copilot-pr-data-fetch.md}} | |
| GH_AW_PROMPT_EOF | |
| cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" | |
| {{#runtime-import .github/workflows/copilot-agent-analysis.md}} | |
| GH_AW_PROMPT_EOF | |
| - name: Substitute placeholders | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | |
| GH_AW_ALLOWED_EXTENSIONS: '' | |
| GH_AW_CACHE_DESCRIPTION: '' | |
| GH_AW_CACHE_DIR: '/tmp/gh-aw/cache-memory/' | |
| GH_AW_GITHUB_ACTOR: ${{ github.actor }} | |
| GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} | |
| GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} | |
| GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} | |
| GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} | |
| GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} | |
| GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} | |
| GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} | |
| with: | |
| script: | | |
| const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); | |
| // Call the substitution function | |
| return await substitutePlaceholders({ | |
| file: process.env.GH_AW_PROMPT, | |
| substitutions: { | |
| GH_AW_ALLOWED_EXTENSIONS: process.env.GH_AW_ALLOWED_EXTENSIONS, | |
| GH_AW_CACHE_DESCRIPTION: process.env.GH_AW_CACHE_DESCRIPTION, | |
| GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR, | |
| GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, | |
| GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, | |
| GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, | |
| GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER, | |
| GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER, | |
| GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, | |
| GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, | |
| GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE | |
| } | |
| }); | |
| - name: Interpolate variables and render templates | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | |
| GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); | |
| await main(); | |
| - name: Validate prompt placeholders | |
| env: | |
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | |
| run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh | |
| - name: Print prompt | |
| env: | |
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | |
| run: bash /opt/gh-aw/actions/print_prompt_summary.sh | |
| - name: Clean git credentials | |
| run: bash /opt/gh-aw/actions/clean_git_credentials.sh | |
| - name: Execute Claude Code CLI | |
| id: agentic_execution | |
| # Allowed tools (sorted): | |
| # - Bash(/tmp/gh-aw/jqschema.sh) | |
| # - Bash(cat) | |
| # - Bash(cp *) | |
| # - Bash(date *) | |
| # - Bash(date) | |
| # - Bash(echo) | |
| # - Bash(find .github -maxdepth 1 -ls) | |
| # - Bash(find .github -name '*.md') | |
| # - Bash(find .github -type f -exec cat {} +) | |
| # - Bash(gh api *) | |
| # - Bash(gh pr list *) | |
| # - Bash(gh search prs *) | |
| # - Bash(git diff) | |
| # - Bash(git log --oneline) | |
| # - Bash(grep) | |
| # - Bash(head) | |
| # - Bash(jq *) | |
| # - Bash(ln *) | |
| # - Bash(ls) | |
| # - Bash(mkdir *) | |
| # - Bash(pwd) | |
| # - Bash(sort) | |
| # - Bash(tail) | |
| # - Bash(uniq) | |
| # - Bash(wc) | |
| # - Bash(yq) | |
| # - BashOutput | |
| # - Edit | |
| # - Edit(/tmp/gh-aw/cache-memory/*) | |
| # - ExitPlanMode | |
| # - Glob | |
| # - Grep | |
| # - KillBash | |
| # - LS | |
| # - MultiEdit | |
| # - MultiEdit(/tmp/gh-aw/cache-memory/*) | |
| # - NotebookEdit | |
| # - NotebookRead | |
| # - Read | |
| # - Read(/tmp/gh-aw/cache-memory/*) | |
| # - Task | |
| # - TodoWrite | |
| # - Write | |
| # - Write(/tmp/gh-aw/cache-memory/*) | |
| # - mcp__github__download_workflow_run_artifact | |
| # - mcp__github__get_code_scanning_alert | |
| # - mcp__github__get_commit | |
| # - mcp__github__get_dependabot_alert | |
| # - mcp__github__get_discussion | |
| # - mcp__github__get_discussion_comments | |
| # - mcp__github__get_file_contents | |
| # - mcp__github__get_job_logs | |
| # - mcp__github__get_label | |
| # - mcp__github__get_latest_release | |
| # - mcp__github__get_me | |
| # - mcp__github__get_notification_details | |
| # - mcp__github__get_pull_request | |
| # - mcp__github__get_pull_request_comments | |
| # - mcp__github__get_pull_request_diff | |
| # - mcp__github__get_pull_request_files | |
| # - mcp__github__get_pull_request_review_comments | |
| # - mcp__github__get_pull_request_reviews | |
| # - mcp__github__get_pull_request_status | |
| # - mcp__github__get_release_by_tag | |
| # - mcp__github__get_secret_scanning_alert | |
| # - mcp__github__get_tag | |
| # - mcp__github__get_workflow_run | |
| # - mcp__github__get_workflow_run_logs | |
| # - mcp__github__get_workflow_run_usage | |
| # - mcp__github__issue_read | |
| # - mcp__github__list_branches | |
| # - mcp__github__list_code_scanning_alerts | |
| # - mcp__github__list_commits | |
| # - mcp__github__list_dependabot_alerts | |
| # - mcp__github__list_discussion_categories | |
| # - mcp__github__list_discussions | |
| # - mcp__github__list_issue_types | |
| # - mcp__github__list_issues | |
| # - mcp__github__list_label | |
| # - mcp__github__list_notifications | |
| # - mcp__github__list_pull_requests | |
| # - mcp__github__list_releases | |
| # - mcp__github__list_secret_scanning_alerts | |
| # - mcp__github__list_starred_repositories | |
| # - mcp__github__list_tags | |
| # - mcp__github__list_workflow_jobs | |
| # - mcp__github__list_workflow_run_artifacts | |
| # - mcp__github__list_workflow_runs | |
| # - mcp__github__list_workflows | |
| # - mcp__github__pull_request_read | |
| # - mcp__github__search_code | |
| # - mcp__github__search_issues | |
| # - mcp__github__search_orgs | |
| # - mcp__github__search_pull_requests | |
| # - mcp__github__search_repositories | |
| # - mcp__github__search_users | |
| timeout-minutes: 15 | |
| run: | | |
| set -o pipefail | |
| sudo -E awf --tty --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.16.2 --skip-pull \ | |
| -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools '\''Bash(/tmp/gh-aw/jqschema.sh),Bash(cat),Bash(cp *),Bash(date *),Bash(date),Bash(echo),Bash(find .github -maxdepth 1 -ls),Bash(find .github -name '\''\'\'''\''*.md'\''\'\'''\''),Bash(find .github -type f -exec cat {} +),Bash(gh api *),Bash(gh pr list *),Bash(gh search prs *),Bash(git diff),Bash(git log --oneline),Bash(grep),Bash(head),Bash(jq *),Bash(ln *),Bash(ls),Bash(mkdir *),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users'\'' --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log | |
| env: | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| BASH_DEFAULT_TIMEOUT_MS: 60000 | |
| BASH_MAX_TIMEOUT_MS: 60000 | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| DISABLE_BUG_COMMAND: 1 | |
| DISABLE_ERROR_REPORTING: 1 | |
| DISABLE_TELEMETRY: 1 | |
| GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json | |
| GH_AW_MODEL_AGENT_CLAUDE: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE || '' }} | |
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | |
| GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} | |
| GITHUB_WORKSPACE: ${{ github.workspace }} | |
| MCP_TIMEOUT: 120000 | |
| MCP_TOOL_TIMEOUT: 60000 | |
| - name: Configure Git credentials | |
| env: | |
| REPO_NAME: ${{ github.repository }} | |
| SERVER_URL: ${{ github.server_url }} | |
| run: | | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| git config --global user.name "github-actions[bot]" | |
| # Re-authenticate git with GitHub token | |
| SERVER_URL_STRIPPED="${SERVER_URL#https://}" | |
| git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" | |
| echo "Git configured with standard GitHub Actions identity" | |
| - name: Stop MCP gateway | |
| if: always() | |
| continue-on-error: true | |
| env: | |
| MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} | |
| MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} | |
| GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} | |
| run: | | |
| bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" | |
| - name: Redact secrets in logs | |
| if: always() | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); | |
| await main(); | |
| env: | |
| GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' | |
| SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| SECRET_CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} | |
| SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} | |
| SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload Safe Outputs | |
| if: always() | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: safe-output | |
| path: ${{ env.GH_AW_SAFE_OUTPUTS }} | |
| if-no-files-found: warn | |
| - name: Ingest agent output | |
| id: collect_output | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} | |
| GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" | |
| GITHUB_SERVER_URL: ${{ github.server_url }} | |
| GITHUB_API_URL: ${{ github.api_url }} | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); | |
| await main(); | |
| - name: Upload sanitized agent output | |
| if: always() && env.GH_AW_AGENT_OUTPUT | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: agent-output | |
| path: ${{ env.GH_AW_AGENT_OUTPUT }} | |
| if-no-files-found: warn | |
| - name: Parse agent logs for step summary | |
| if: always() | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); | |
| await main(); | |
| - name: Parse MCP gateway logs for step summary | |
| if: always() | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); | |
| await main(); | |
| - name: Print firewall logs | |
| if: always() | |
| continue-on-error: true | |
| env: | |
| AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs | |
| run: | | |
| # Fix permissions on firewall logs so they can be uploaded as artifacts | |
| # AWF runs with sudo, creating files owned by root | |
| sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true | |
| awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" | |
| # Upload repo memory as artifacts for push job | |
| - name: Upload repo-memory artifact (default) | |
| if: always() | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: repo-memory-default | |
| path: /tmp/gh-aw/repo-memory/default | |
| retention-days: 1 | |
| if-no-files-found: ignore | |
| - name: Upload cache-memory data as artifact | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| if: always() | |
| with: | |
| name: cache-memory | |
| path: /tmp/gh-aw/cache-memory | |
| - name: Upload agent artifacts | |
| if: always() | |
| continue-on-error: true | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: agent-artifacts | |
| path: | | |
| /tmp/gh-aw/aw-prompts/prompt.txt | |
| /tmp/gh-aw/aw_info.json | |
| /tmp/gh-aw/mcp-logs/ | |
| /tmp/gh-aw/sandbox/firewall/logs/ | |
| /tmp/gh-aw/agent-stdio.log | |
| /tmp/gh-aw/agent/ | |
| if-no-files-found: ignore | |
| conclusion: | |
| needs: | |
| - activation | |
| - agent | |
| - detection | |
| - push_repo_memory | |
| - safe_outputs | |
| - update_cache_memory | |
| if: (always()) && (needs.agent.result != 'skipped') | |
| runs-on: ubuntu-slim | |
| permissions: | |
| contents: read | |
| discussions: write | |
| issues: write | |
| pull-requests: write | |
| outputs: | |
| noop_message: ${{ steps.noop.outputs.noop_message }} | |
| tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} | |
| total_count: ${{ steps.missing_tool.outputs.total_count }} | |
| steps: | |
| - name: Checkout actions folder | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| sparse-checkout: | | |
| actions | |
| persist-credentials: false | |
| - name: Setup Scripts | |
| uses: ./actions/setup | |
| with: | |
| destination: /opt/gh-aw/actions | |
| - name: Download agent output artifact | |
| continue-on-error: true | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: agent-output | |
| path: /tmp/gh-aw/safeoutputs/ | |
| - name: Setup agent output environment variable | |
| run: | | |
| mkdir -p /tmp/gh-aw/safeoutputs/ | |
| find "/tmp/gh-aw/safeoutputs/" -type f -print | |
| echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" | |
| - name: Process No-Op Messages | |
| id: noop | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | |
| GH_AW_NOOP_MAX: 1 | |
| GH_AW_WORKFLOW_NAME: "Copilot Agent PR Analysis" | |
| with: | |
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/noop.cjs'); | |
| await main(); | |
| - name: Record Missing Tool | |
| id: missing_tool | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | |
| GH_AW_WORKFLOW_NAME: "Copilot Agent PR Analysis" | |
| with: | |
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); | |
| await main(); | |
| - name: Handle Agent Failure | |
| id: handle_agent_failure | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | |
| GH_AW_WORKFLOW_NAME: "Copilot Agent PR Analysis" | |
| GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} | |
| GH_AW_WORKFLOW_ID: "copilot-agent-analysis" | |
| GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} | |
| GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} | |
| GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} | |
| GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} | |
| GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }} | |
| GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }} | |
| with: | |
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); | |
| await main(); | |
| - name: Handle No-Op Message | |
| id: handle_noop_message | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | |
| GH_AW_WORKFLOW_NAME: "Copilot Agent PR Analysis" | |
| GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} | |
| GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }} | |
| GH_AW_NOOP_REPORT_AS_ISSUE: "true" | |
| with: | |
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); | |
| await main(); | |
| - name: Update reaction comment with completion status | |
| id: conclusion | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | |
| GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }} | |
| GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }} | |
| GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| GH_AW_WORKFLOW_NAME: "Copilot Agent PR Analysis" | |
| GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} | |
| GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.result }} | |
| with: | |
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); | |
| await main(); | |
| detection: | |
| needs: agent | |
| if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: "gh-aw-claude-${{ github.workflow }}" | |
| timeout-minutes: 10 | |
| outputs: | |
| success: ${{ steps.parse_results.outputs.success }} | |
| steps: | |
| - name: Checkout actions folder | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| sparse-checkout: | | |
| actions | |
| persist-credentials: false | |
| - name: Setup Scripts | |
| uses: ./actions/setup | |
| with: | |
| destination: /opt/gh-aw/actions | |
| - name: Download agent artifacts | |
| continue-on-error: true | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: agent-artifacts | |
| path: /tmp/gh-aw/threat-detection/ | |
| - name: Download agent output artifact | |
| continue-on-error: true | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: agent-output | |
| path: /tmp/gh-aw/threat-detection/ | |
| - name: Echo agent output types | |
| env: | |
| AGENT_OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }} | |
| run: | | |
| echo "Agent output-types: $AGENT_OUTPUT_TYPES" | |
| - name: Setup threat detection | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| WORKFLOW_NAME: "Copilot Agent PR Analysis" | |
| WORKFLOW_DESCRIPTION: "Analyzes GitHub Copilot agent usage patterns in pull requests to provide insights on agent effectiveness and behavior" | |
| HAS_PATCH: ${{ needs.agent.outputs.has_patch }} | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); | |
| await main(); | |
| - name: Ensure threat-detection directory and log | |
| run: | | |
| mkdir -p /tmp/gh-aw/threat-detection | |
| touch /tmp/gh-aw/threat-detection/detection.log | |
| - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret | |
| id: validate-secret | |
| run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code | |
| env: | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| - name: Setup Node.js | |
| uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 | |
| with: | |
| node-version: '24' | |
| package-manager-cache: false | |
| - name: Install Claude Code CLI | |
| run: npm install -g --silent @anthropic-ai/claude-code@2.1.39 | |
| - name: Execute Claude Code CLI | |
| id: agentic_execution | |
| # Allowed tools (sorted): | |
| # - Bash(cat) | |
| # - Bash(grep) | |
| # - Bash(head) | |
| # - Bash(jq) | |
| # - Bash(ls) | |
| # - Bash(tail) | |
| # - Bash(wc) | |
| # - BashOutput | |
| # - ExitPlanMode | |
| # - Glob | |
| # - Grep | |
| # - KillBash | |
| # - LS | |
| # - NotebookRead | |
| # - Read | |
| # - Task | |
| # - TodoWrite | |
| timeout-minutes: 20 | |
| run: | | |
| set -o pipefail | |
| # Execute Claude Code CLI with prompt from file | |
| claude --print --disable-slash-commands --no-chrome --allowed-tools 'Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite' --debug-file /tmp/gh-aw/threat-detection/detection.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_CLAUDE:+ --model "$GH_AW_MODEL_DETECTION_CLAUDE"} 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log | |
| env: | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| BASH_DEFAULT_TIMEOUT_MS: 60000 | |
| BASH_MAX_TIMEOUT_MS: 60000 | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| DISABLE_BUG_COMMAND: 1 | |
| DISABLE_ERROR_REPORTING: 1 | |
| DISABLE_TELEMETRY: 1 | |
| GH_AW_MODEL_DETECTION_CLAUDE: ${{ vars.GH_AW_MODEL_DETECTION_CLAUDE || '' }} | |
| GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt | |
| GITHUB_WORKSPACE: ${{ github.workspace }} | |
| MCP_TIMEOUT: 120000 | |
| MCP_TOOL_TIMEOUT: 60000 | |
| - name: Parse threat detection results | |
| id: parse_results | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); | |
| await main(); | |
| - name: Upload threat detection log | |
| if: always() | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: threat-detection.log | |
| path: /tmp/gh-aw/threat-detection/detection.log | |
| if-no-files-found: ignore | |
| push_repo_memory: | |
| needs: | |
| - agent | |
| - detection | |
| if: always() && needs.detection.outputs.success == 'true' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| outputs: | |
| validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }} | |
| validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }} | |
| steps: | |
| - name: Checkout actions folder | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| sparse-checkout: | | |
| actions | |
| persist-credentials: false | |
| - name: Setup Scripts | |
| uses: ./actions/setup | |
| with: | |
| destination: /opt/gh-aw/actions | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: . | |
| - name: Configure Git credentials | |
| env: | |
| REPO_NAME: ${{ github.repository }} | |
| SERVER_URL: ${{ github.server_url }} | |
| run: | | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| git config --global user.name "github-actions[bot]" | |
| # Re-authenticate git with GitHub token | |
| SERVER_URL_STRIPPED="${SERVER_URL#https://}" | |
| git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" | |
| echo "Git configured with standard GitHub Actions identity" | |
| - name: Download repo-memory artifact (default) | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| continue-on-error: true | |
| with: | |
| name: repo-memory-default | |
| path: /tmp/gh-aw/repo-memory/default | |
| - name: Push repo-memory changes (default) | |
| id: push_repo_memory_default | |
| if: always() | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| GITHUB_RUN_ID: ${{ github.run_id }} | |
| ARTIFACT_DIR: /tmp/gh-aw/repo-memory/default | |
| MEMORY_ID: default | |
| TARGET_REPO: ${{ github.repository }} | |
| BRANCH_NAME: memory/copilot-agent-analysis | |
| MAX_FILE_SIZE: 102400 | |
| MAX_FILE_COUNT: 100 | |
| ALLOWED_EXTENSIONS: '[]' | |
| FILE_GLOB_FILTER: "memory/copilot-agent-analysis/*.json memory/copilot-agent-analysis/*.jsonl memory/copilot-agent-analysis/*.csv memory/copilot-agent-analysis/*.md" | |
| with: | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); | |
| await main(); | |
| safe_outputs: | |
| needs: | |
| - agent | |
| - detection | |
| if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.detection.outputs.success == 'true') | |
| runs-on: ubuntu-slim | |
| permissions: | |
| contents: read | |
| discussions: write | |
| issues: write | |
| timeout-minutes: 15 | |
| env: | |
| GH_AW_ENGINE_ID: "claude" | |
| GH_AW_WORKFLOW_ID: "copilot-agent-analysis" | |
| GH_AW_WORKFLOW_NAME: "Copilot Agent PR Analysis" | |
| outputs: | |
| create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }} | |
| create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }} | |
| process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} | |
| process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} | |
| steps: | |
| - name: Checkout actions folder | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| sparse-checkout: | | |
| actions | |
| persist-credentials: false | |
| - name: Setup Scripts | |
| uses: ./actions/setup | |
| with: | |
| destination: /opt/gh-aw/actions | |
| - name: Download agent output artifact | |
| continue-on-error: true | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: agent-output | |
| path: /tmp/gh-aw/safeoutputs/ | |
| - name: Setup agent output environment variable | |
| run: | | |
| mkdir -p /tmp/gh-aw/safeoutputs/ | |
| find "/tmp/gh-aw/safeoutputs/" -type f -print | |
| echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" | |
| - name: Process Safe Outputs | |
| id: process_safe_outputs | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | |
| GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_discussion\":{\"category\":\"audits\",\"close_older_discussions\":true,\"expires\":168,\"fallback_to_issue\":true,\"max\":1,\"title_prefix\":\"[copilot-agent-analysis] \"},\"missing_data\":{},\"missing_tool\":{}}" | |
| with: | |
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
| script: | | |
| const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); | |
| setupGlobals(core, github, context, exec, io); | |
| const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); | |
| await main(); | |
| update_cache_memory: | |
| needs: | |
| - agent | |
| - detection | |
| if: always() && needs.detection.outputs.success == 'true' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout actions folder | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| sparse-checkout: | | |
| actions | |
| persist-credentials: false | |
| - name: Setup Scripts | |
| uses: ./actions/setup | |
| with: | |
| destination: /opt/gh-aw/actions | |
| - name: Download cache-memory artifact (default) | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| continue-on-error: true | |
| with: | |
| name: cache-memory | |
| path: /tmp/gh-aw/cache-memory | |
| - name: Save cache-memory to cache (default) | |
| uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| key: copilot-pr-data-${{ github.run_id }} | |
| path: /tmp/gh-aw/cache-memory | |