Go Pattern Detector #486

Workflow file for this run

.github/workflows/go-pattern-detector.lock.yml at 2368d98

	#
	# ___ _ _
	# / _ \ \| \| (_)
	# \| \|_\| \| __ _ ___ _ __ \| \|_ _ ___
	# \| _ \|/ _` \|/ _ \ '_ \\| __\| \|/ __\|
	# \| \| \| \| (_\| \| __/ \| \| \| \|_\| \| (__
	# \_\| \|_/\__, \|\___\|_\| \|_\|\__\|_\|\___\|
	# __/ \|
	# _ _ \|___/
	# \| \| \| \| / _\| \|
	# \| \| \| \| ___ _ __ _ __\| \|_\| \| _____ ____
	# \| \|/\\| \|/ _ \ '__\| \|/ /\| _\| \|/ _ \ \ /\ / / ___\|
	# \ /\ / (_) \| \| \| \| ( \| \| \| \| (_) \ V V /\__ \
	# \/ \/ \___/\|_\| \|_\|\_\\|_\| \|_\|\___/ \_/\_/ \|___/
	#
	# This file was automatically generated by gh-aw. DO NOT EDIT.
	#
	# To update this file, edit the corresponding .md file and run:
	# gh aw compile
	# Not all edits will cause changes to this file.
	#
	# For more information: https://github.github.com/gh-aw/introduction/overview/
	#
	# Detects common Go code patterns and anti-patterns to maintain code quality and consistency
	#
	# Resolved workflow manifest:
	# Imports:
	# - shared/mcp/ast-grep.md
	#
	# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"b97f1fea9e98decc6a42563d2e324c065d494f9a2cf336f4743dc4818be0c610"}

	name: "Go Pattern Detector"
	"on":
	schedule:
	- cron: "0 14 * * 1-5"
	workflow_dispatch:

	permissions: {}

	concurrency:
	group: "gh-aw-${{ github.workflow }}"

	run-name: "Go Pattern Detector"

	jobs:
	activation:
	runs-on: ubuntu-slim
	permissions:
	contents: read
	outputs:
	comment_id: ""
	comment_repo: ""
	secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: /opt/gh-aw/actions
	- name: Validate ANTHROPIC_API_KEY secret
	id: validate-secret
	run: /opt/gh-aw/actions/validate_multi_secret.sh ANTHROPIC_API_KEY 'Claude Code' https://github.github.com/gh-aw/reference/engines/#anthropic-claude-code
	env:
	ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
	- name: Validate context variables
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/validate_context_variables.cjs');
	await main();
	- name: Checkout .github and .agents folders
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	sparse-checkout: \|
	.github
	.agents
	fetch-depth: 1
	persist-credentials: false
	- name: Check workflow file timestamps
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_WORKFLOW_FILE: "go-pattern-detector.lock.yml"
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs');
	await main();
	- name: Create prompt with built-in context
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
	GH_AW_GITHUB_ACTOR: ${{ github.actor }}
	GH_AW_GITHUB_EVENT_AFTER: ${{ github.event.after }}
	GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
	GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
	GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
	GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
	run: \|
	bash /opt/gh-aw/actions/create_prompt_first.sh
	{
	cat << 'GH_AW_PROMPT_EOF'
	<system>
	GH_AW_PROMPT_EOF
	cat "/opt/gh-aw/prompts/xpia.md"
	cat "/opt/gh-aw/prompts/temp_folder_prompt.md"
	cat "/opt/gh-aw/prompts/markdown.md"
	cat "/opt/gh-aw/prompts/safe_outputs_prompt.md"
	cat << 'GH_AW_PROMPT_EOF'
	<safe-output-tools>
	Tools: create_issue, missing_tool, missing_data
	</safe-output-tools>
	<github-context>
	The following GitHub context information is available for this workflow:
	{{#if __GH_AW_GITHUB_ACTOR__ }}
	- actor: __GH_AW_GITHUB_ACTOR__
	{{/if}}
	{{#if __GH_AW_GITHUB_REPOSITORY__ }}
	- repository: __GH_AW_GITHUB_REPOSITORY__
	{{/if}}
	{{#if __GH_AW_GITHUB_WORKSPACE__ }}
	- workspace: __GH_AW_GITHUB_WORKSPACE__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }}
	- issue-number: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }}
	- discussion-number: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }}
	- pull-request-number: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }}
	- comment-id: __GH_AW_GITHUB_EVENT_COMMENT_ID__
	{{/if}}
	{{#if __GH_AW_GITHUB_RUN_ID__ }}
	- workflow-run-id: __GH_AW_GITHUB_RUN_ID__
	{{/if}}
	</github-context>

	GH_AW_PROMPT_EOF
	cat << 'GH_AW_PROMPT_EOF'
	</system>
	GH_AW_PROMPT_EOF
	cat << 'GH_AW_PROMPT_EOF'
	{{#runtime-import .github/workflows/shared/mcp/ast-grep.md}}
	GH_AW_PROMPT_EOF
	cat << 'GH_AW_PROMPT_EOF'
	{{#runtime-import .github/workflows/go-pattern-detector.md}}
	GH_AW_PROMPT_EOF
	} > "$GH_AW_PROMPT"
	- name: Interpolate variables and render templates
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_GITHUB_ACTOR: ${{ github.actor }}
	GH_AW_GITHUB_EVENT_AFTER: ${{ github.event.after }}
	GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs');
	await main();
	- name: Substitute placeholders
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_GITHUB_ACTOR: ${{ github.actor }}
	GH_AW_GITHUB_EVENT_AFTER: ${{ github.event.after }}
	GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
	GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
	GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
	GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);

	const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');

	// Call the substitution function
	return await substitutePlaceholders({
	file: process.env.GH_AW_PROMPT,
	substitutions: {
	GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR,
	GH_AW_GITHUB_EVENT_AFTER: process.env.GH_AW_GITHUB_EVENT_AFTER,
	GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID,
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER,
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER,
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER,
	GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY,
	GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID,
	GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE
	}
	});
	- name: Validate prompt placeholders
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh
	- name: Print prompt
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	run: bash /opt/gh-aw/actions/print_prompt_summary.sh
	- name: Upload prompt artifact
	if: success()
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
	with:
	name: prompt
	path: /tmp/gh-aw/aw-prompts/prompt.txt
	retention-days: 1

	agent:
	needs:
	- activation
	- ast_grep
	if: needs.ast_grep.outputs.found_patterns == 'true'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	issues: read
	pull-requests: read
	concurrency:
	group: "gh-aw-claude-${{ github.workflow }}"
	env:
	DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
	GH_AW_ASSETS_ALLOWED_EXTS: ""
	GH_AW_ASSETS_BRANCH: ""
	GH_AW_ASSETS_MAX_SIZE_KB: 0
	GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
	GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl
	GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
	GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
	GH_AW_WORKFLOW_ID_SANITIZED: gopatterndetector
	outputs:
	checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success \|\| 'true' }}
	detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
	detection_success: ${{ steps.detection_conclusion.outputs.success }}
	has_patch: ${{ steps.collect_output.outputs.has_patch }}
	model: ${{ steps.generate_aw_info.outputs.model }}
	output: ${{ steps.collect_output.outputs.output }}
	output_types: ${{ steps.collect_output.outputs.output_types }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: /opt/gh-aw/actions
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	- name: Create gh-aw temp directory
	run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
	- name: Configure Git credentials
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	git config --global am.keepcr true
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Checkout PR branch
	id: checkout-pr
	if: \|
	github.event.pull_request
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs');
	await main();
	- name: Generate agentic run info
	id: generate_aw_info
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const fs = require('fs');

	const awInfo = {
	engine_id: "claude",
	engine_name: "Claude Code",
	model: process.env.GH_AW_MODEL_AGENT_CLAUDE \|\| "",
	version: "",
	agent_version: "2.1.56",
	workflow_name: "Go Pattern Detector",
	experimental: false,
	supports_tools_allowlist: true,
	run_id: context.runId,
	run_number: context.runNumber,
	run_attempt: process.env.GITHUB_RUN_ATTEMPT,
	repository: context.repo.owner + '/' + context.repo.repo,
	ref: context.ref,
	sha: context.sha,
	actor: context.actor,
	event_name: context.eventName,
	staged: false,
	allowed_domains: ["defaults"],
	firewall_enabled: true,
	awf_version: "v0.23.0",
	awmg_version: "v0.1.5",
	steps: {
	firewall: "squid"
	},
	created_at: new Date().toISOString()
	};

	// Write to /tmp/gh-aw directory to avoid inclusion in PR
	const tmpPath = '/tmp/gh-aw/aw_info.json';
	fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
	console.log('Generated aw_info.json at:', tmpPath);
	console.log(JSON.stringify(awInfo, null, 2));

	// Set model as output for reuse in other steps/jobs
	core.setOutput('model', awInfo.model);
	- name: Setup Node.js
	uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
	with:
	node-version: '24'
	package-manager-cache: false
	- name: Install awf binary
	run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0
	- name: Install Claude Code CLI
	run: npm install -g --silent @anthropic-ai/claude-code@2.1.56
	- name: Determine automatic lockdown mode for GitHub MCP Server
	id: determine-automatic-lockdown
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
	GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
	with:
	script: \|
	const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
	await determineAutomaticLockdown(github, context, core);
	- name: Download container images
	run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.5 ghcr.io/github/github-mcp-server:v0.31.0 mcp/ast-grep:latest node:lts-alpine
	- name: Write Safe Outputs Config
	run: \|
	mkdir -p /opt/gh-aw/safeoutputs
	mkdir -p /tmp/gh-aw/safeoutputs
	mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
	cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF'
	{"create_issue":{"expires":48,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}}
	GH_AW_SAFE_OUTPUTS_CONFIG_EOF
	cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF'
	[
	{
	"description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[ast-grep] \". Labels [code-quality ast-grep cookie] will be automatically added.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"body": {
	"description": "Detailed issue description in Markdown. Do NOT repeat the title as a heading since it already appears as the issue's h1. Include context, reproduction steps, or acceptance criteria as appropriate.",
	"type": "string"
	},
	"labels": {
	"description": "Labels to categorize the issue (e.g., 'bug', 'enhancement'). Labels must exist in the repository.",
	"items": {
	"type": "string"
	},
	"type": "array"
	},
	"parent": {
	"description": "Parent issue number for creating sub-issues. This is the numeric ID from the GitHub URL (e.g., 42 in github.com/owner/repo/issues/42). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from a previously created issue in the same workflow run.",
	"type": [
	"number",
	"string"
	]
	},
	"temporary_id": {
	"description": "Unique temporary identifier for referencing this issue before it's created. Format: 'aw_' followed by 3 to 8 alphanumeric characters (e.g., 'aw_abc1', 'aw_Test123'). Use '#aw_ID' in body text to reference other issues by their temporary_id; these are replaced with actual issue numbers after creation.",
	"pattern": "^aw_[A-Za-z0-9]{3,8}$",
	"type": "string"
	},
	"title": {
	"description": "Concise issue title summarizing the bug, feature, or task. The title appears as the main heading, so keep it brief and descriptive.",
	"type": "string"
	}
	},
	"required": [
	"title",
	"body"
	],
	"type": "object"
	},
	"name": "create_issue"
	},
	{
	"description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"alternatives": {
	"description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).",
	"type": "string"
	},
	"reason": {
	"description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).",
	"type": "string"
	},
	"tool": {
	"description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.",
	"type": "string"
	}
	},
	"required": [
	"reason"
	],
	"type": "object"
	},
	"name": "missing_tool"
	},
	{
	"description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"message": {
	"description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing').",
	"type": "string"
	}
	},
	"required": [
	"message"
	],
	"type": "object"
	},
	"name": "noop"
	},
	{
	"description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"alternatives": {
	"description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).",
	"type": "string"
	},
	"context": {
	"description": "Additional context about the missing data or where it should come from (max 256 characters).",
	"type": "string"
	},
	"data_type": {
	"description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.",
	"type": "string"
	},
	"reason": {
	"description": "Explanation of why this data is needed to complete the task (max 256 characters).",
	"type": "string"
	}
	},
	"required": [],
	"type": "object"
	},
	"name": "missing_data"
	}
	]
	GH_AW_SAFE_OUTPUTS_TOOLS_EOF
	cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF'
	{
	"create_issue": {
	"defaultMax": 1,
	"fields": {
	"body": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	},
	"labels": {
	"type": "array",
	"itemType": "string",
	"itemSanitize": true,
	"itemMaxLength": 128
	},
	"parent": {
	"issueOrPRNumber": true
	},
	"repo": {
	"type": "string",
	"maxLength": 256
	},
	"temporary_id": {
	"type": "string"
	},
	"title": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	}
	}
	},
	"missing_data": {
	"defaultMax": 20,
	"fields": {
	"alternatives": {
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"context": {
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"data_type": {
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	},
	"reason": {
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	}
	}
	},
	"missing_tool": {
	"defaultMax": 20,
	"fields": {
	"alternatives": {
	"type": "string",
	"sanitize": true,
	"maxLength": 512
	},
	"reason": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"tool": {
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	}
	}
	},
	"noop": {
	"defaultMax": 1,
	"fields": {
	"message": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	}
	}
	}
	}
	GH_AW_SAFE_OUTPUTS_VALIDATION_EOF
	- name: Generate Safe Outputs MCP Server Config
	id: safe-outputs-config
	run: \|
	# Generate a secure random API key (360 bits of entropy, 40+ chars)
	# Mask immediately to prevent timing vulnerabilities
	API_KEY=$(openssl rand -base64 45 \| tr -d '/+=')
	echo "::add-mask::${API_KEY}"

	PORT=3001

	# Set outputs for next steps
	{
	echo "safe_outputs_api_key=${API_KEY}"
	echo "safe_outputs_port=${PORT}"
	} >> "$GITHUB_OUTPUT"

	echo "Safe Outputs MCP server will run on port ${PORT}"

	- name: Start Safe Outputs MCP HTTP Server
	id: safe-outputs-start
	env:
	DEBUG: '*'
	GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
	GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
	GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
	GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
	GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
	run: \|
	# Environment variables are set above to prevent template injection
	export DEBUG
	export GH_AW_SAFE_OUTPUTS_PORT
	export GH_AW_SAFE_OUTPUTS_API_KEY
	export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
	export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
	export GH_AW_MCP_LOG_DIR

	bash /opt/gh-aw/actions/start_safe_outputs_server.sh

	- name: Start MCP Gateway
	id: start-mcp-gateway
	env:
	GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
	GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
	GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
	GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' \|\| '0' }}
	GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	run: \|
	set -eo pipefail
	mkdir -p /tmp/gh-aw/mcp-config

	# Export gateway environment variables for MCP config and gateway script
	export MCP_GATEWAY_PORT="80"
	export MCP_GATEWAY_DOMAIN="host.docker.internal"
	MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 \| tr -d '/+=')
	echo "::add-mask::${MCP_GATEWAY_API_KEY}"
	export MCP_GATEWAY_API_KEY
	export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads"
	mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}"
	export DEBUG="*"

	export GH_AW_ENGINE="claude"
	export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.5'

	cat << GH_AW_MCP_CONFIG_EOF \| bash /opt/gh-aw/actions/start_mcp_gateway.sh
	{
	"mcpServers": {
	"ast-grep": {
	"type": "stdio",
	"container": "mcp/ast-grep:latest"
	},
	"github": {
	"container": "ghcr.io/github/github-mcp-server:v0.31.0",
	"env": {
	"GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN",
	"GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN",
	"GITHUB_READ_ONLY": "1",
	"GITHUB_TOOLSETS": "context,repos,issues,pull_requests"
	}
	},
	"safeoutputs": {
	"type": "http",
	"url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
	"headers": {
	"Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY"
	}
	}
	},
	"gateway": {
	"port": $MCP_GATEWAY_PORT,
	"domain": "${MCP_GATEWAY_DOMAIN}",
	"apiKey": "${MCP_GATEWAY_API_KEY}",
	"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
	}
	}
	GH_AW_MCP_CONFIG_EOF
	- name: Generate workflow overview
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs');
	await generateWorkflowOverview(core);
	- name: Download prompt artifact
	uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
	with:
	name: prompt
	path: /tmp/gh-aw/aw-prompts
	- name: Clean git credentials
	run: bash /opt/gh-aw/actions/clean_git_credentials.sh
	- name: Execute Claude Code CLI
	id: agentic_execution
	# Allowed tools (sorted):
	# - Bash
	# - BashOutput
	# - Edit
	# - ExitPlanMode
	# - Glob
	# - Grep
	# - KillBash
	# - LS
	# - MultiEdit
	# - NotebookEdit
	# - NotebookRead
	# - Read
	# - Task
	# - TodoWrite
	# - Write
	# - mcp__ast-grep
	# - mcp__github__download_workflow_run_artifact
	# - mcp__github__get_code_scanning_alert
	# - mcp__github__get_commit
	# - mcp__github__get_dependabot_alert
	# - mcp__github__get_discussion
	# - mcp__github__get_discussion_comments
	# - mcp__github__get_file_contents
	# - mcp__github__get_job_logs
	# - mcp__github__get_label
	# - mcp__github__get_latest_release
	# - mcp__github__get_me
	# - mcp__github__get_notification_details
	# - mcp__github__get_pull_request
	# - mcp__github__get_pull_request_comments
	# - mcp__github__get_pull_request_diff
	# - mcp__github__get_pull_request_files
	# - mcp__github__get_pull_request_review_comments
	# - mcp__github__get_pull_request_reviews
	# - mcp__github__get_pull_request_status
	# - mcp__github__get_release_by_tag
	# - mcp__github__get_secret_scanning_alert
	# - mcp__github__get_tag
	# - mcp__github__get_workflow_run
	# - mcp__github__get_workflow_run_logs
	# - mcp__github__get_workflow_run_usage
	# - mcp__github__issue_read
	# - mcp__github__list_branches
	# - mcp__github__list_code_scanning_alerts
	# - mcp__github__list_commits
	# - mcp__github__list_dependabot_alerts
	# - mcp__github__list_discussion_categories
	# - mcp__github__list_discussions
	# - mcp__github__list_issue_types
	# - mcp__github__list_issues
	# - mcp__github__list_label
	# - mcp__github__list_notifications
	# - mcp__github__list_pull_requests
	# - mcp__github__list_releases
	# - mcp__github__list_secret_scanning_alerts
	# - mcp__github__list_starred_repositories
	# - mcp__github__list_tags
	# - mcp__github__list_workflow_jobs
	# - mcp__github__list_workflow_run_artifacts
	# - mcp__github__list_workflow_runs
	# - mcp__github__list_workflows
	# - mcp__github__pull_request_read
	# - mcp__github__search_code
	# - mcp__github__search_issues
	# - mcp__github__search_orgs
	# - mcp__github__search_pull_requests
	# - mcp__github__search_repositories
	# - mcp__github__search_users
	timeout-minutes: 10
	run: \|
	set -o pipefail
	# shellcheck disable=SC1003
	sudo -E awf --tty --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
	-- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null \| tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" \|\| true && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools Bash,BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__ast-grep,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' 2>&1 \| tee -a /tmp/gh-aw/agent-stdio.log
	env:
	ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
	BASH_DEFAULT_TIMEOUT_MS: 60000
	BASH_MAX_TIMEOUT_MS: 60000
	DISABLE_BUG_COMMAND: 1
	DISABLE_ERROR_REPORTING: 1
	DISABLE_TELEMETRY: 1
	GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json
	GH_AW_MODEL_AGENT_CLAUDE: ${{ vars.GH_AW_MODEL_AGENT_CLAUDE \|\| '' }}
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
	GITHUB_WORKSPACE: ${{ github.workspace }}
	MCP_TIMEOUT: 120000
	MCP_TOOL_TIMEOUT: 60000
	- name: Configure Git credentials
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	git config --global am.keepcr true
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Stop MCP Gateway
	if: always()
	continue-on-error: true
	env:
	MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }}
	MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
	GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }}
	run: \|
	bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID"
	- name: Redact secrets in logs
	if: always()
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
	await main();
	env:
	GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
	SECRET_ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
	SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
	SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
	SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Upload Safe Outputs
	if: always()
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
	with:
	name: safe-output
	path: ${{ env.GH_AW_SAFE_OUTPUTS }}
	if-no-files-found: warn
	- name: Ingest agent output
	id: collect_output
	if: always()
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
	GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
	GITHUB_SERVER_URL: ${{ github.server_url }}
	GITHUB_API_URL: ${{ github.api_url }}
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs');
	await main();
	- name: Upload sanitized agent output
	if: always() && env.GH_AW_AGENT_OUTPUT
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
	with:
	name: agent-output
	path: ${{ env.GH_AW_AGENT_OUTPUT }}
	if-no-files-found: warn
	- name: Parse agent logs for step summary
	if: always()
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs');
	await main();
	- name: Parse MCP Gateway logs for step summary
	if: always()
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs');
	await main();
	- name: Print firewall logs
	if: always()
	continue-on-error: true
	env:
	AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
	run: \|
	# Fix permissions on firewall logs so they can be uploaded as artifacts
	# AWF runs with sudo, creating files owned by root
	sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null \|\| true
	# Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
	if command -v awf &> /dev/null; then
	awf logs summary \| tee -a "$GITHUB_STEP_SUMMARY"
	else
	echo 'AWF binary not installed, skipping firewall log summary'
	fi
	- name: Upload agent artifacts
	if: always()
	continue-on-error: true
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
	with:
	name: agent-artifacts
	path: \|
	/tmp/gh-aw/aw-prompts/prompt.txt
	/tmp/gh-aw/aw_info.json
	/tmp/gh-aw/mcp-logs/
	/tmp/gh-aw/sandbox/firewall/logs/
	/tmp/gh-aw/agent-stdio.log
	/tmp/gh-aw/agent/
	if-no-files-found: ignore
	# --- Threat Detection (inline) ---
	- name: Check if detection needed
	id: detection_guard
	if: always()
	env:
	OUTPUT_TYPES: ${{ steps.collect_output.outputs.output_types }}
	HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }}
	run: \|
	if [[ -n "$OUTPUT_TYPES" \|\| "$HAS_PATCH" == "true" ]]; then
	echo "run_detection=true" >> "$GITHUB_OUTPUT"
	echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH"
	else
	echo "run_detection=false" >> "$GITHUB_OUTPUT"
	echo "Detection skipped: no agent outputs or patches to analyze"
	fi
	- name: Clear MCP configuration for detection
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	run: \|
	rm -f /tmp/gh-aw/mcp-config/mcp-servers.json
	rm -f /home/runner/.copilot/mcp-config.json
	rm -f "$GITHUB_WORKSPACE/.gemini/settings.json"
	- name: Prepare threat detection files
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	run: \|
	mkdir -p /tmp/gh-aw/threat-detection/aw-prompts
	cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null \|\| true
	cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null \|\| true
	for f in /tmp/gh-aw/aw-*.patch; do
	[ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null \|\| true
	done
	echo "Prepared threat detection files:"
	ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null \|\| true
	- name: Setup threat detection
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	WORKFLOW_NAME: "Go Pattern Detector"
	WORKFLOW_DESCRIPTION: "Detects common Go code patterns and anti-patterns to maintain code quality and consistency"
	HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }}
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs');
	await main();
	- name: Ensure threat-detection directory and log
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	run: \|
	mkdir -p /tmp/gh-aw/threat-detection
	touch /tmp/gh-aw/threat-detection/detection.log
	- name: Execute Claude Code CLI
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	id: detection_agentic_execution
	# Allowed tools (sorted):
	# - Bash(cat)
	# - Bash(grep)
	# - Bash(head)
	# - Bash(jq)
	# - Bash(ls)
	# - Bash(tail)
	# - Bash(wc)
	# - BashOutput
	# - ExitPlanMode
	# - Glob
	# - Grep
	# - KillBash
	# - LS
	# - NotebookRead
	# - Read
	# - Task
	# - TodoWrite
	timeout-minutes: 20
	run: \|
	set -o pipefail
	# shellcheck disable=SC1003
	sudo -E awf --tty --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
	-- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null \| tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" \|\| true && claude --print --disable-slash-commands --no-chrome --allowed-tools '\''Bash(cat),Bash(grep),Bash(head),Bash(jq),Bash(ls),Bash(tail),Bash(wc),BashOutput,ExitPlanMode,Glob,Grep,KillBash,LS,NotebookRead,Read,Task,TodoWrite'\'' --debug-file /tmp/gh-aw/threat-detection/detection.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_CLAUDE:+ --model "$GH_AW_MODEL_DETECTION_CLAUDE"}' 2>&1 \| tee -a /tmp/gh-aw/threat-detection/detection.log
	env:
	ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
	BASH_DEFAULT_TIMEOUT_MS: 60000
	BASH_MAX_TIMEOUT_MS: 60000
	DISABLE_BUG_COMMAND: 1
	DISABLE_ERROR_REPORTING: 1
	DISABLE_TELEMETRY: 1
	GH_AW_MODEL_DETECTION_CLAUDE: ${{ vars.GH_AW_MODEL_DETECTION_CLAUDE \|\| '' }}
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GITHUB_WORKSPACE: ${{ github.workspace }}
	MCP_TIMEOUT: 120000
	MCP_TOOL_TIMEOUT: 60000
	- name: Parse threat detection results
	id: parse_detection_results
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs');
	await main();
	- name: Upload threat detection log
	if: always() && steps.detection_guard.outputs.run_detection == 'true'
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
	with:
	name: threat-detection.log
	path: /tmp/gh-aw/threat-detection/detection.log
	if-no-files-found: ignore
	- name: Set detection conclusion
	id: detection_conclusion
	if: always()
	env:
	RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }}
	DETECTION_SUCCESS: ${{ steps.parse_detection_results.outputs.success }}
	run: \|
	if [[ "$RUN_DETECTION" != "true" ]]; then
	echo "conclusion=skipped" >> "$GITHUB_OUTPUT"
	echo "success=true" >> "$GITHUB_OUTPUT"
	echo "Detection was not needed, marking as skipped"
	elif [[ "$DETECTION_SUCCESS" == "true" ]]; then
	echo "conclusion=success" >> "$GITHUB_OUTPUT"
	echo "success=true" >> "$GITHUB_OUTPUT"
	echo "Detection passed successfully"
	else
	echo "conclusion=failure" >> "$GITHUB_OUTPUT"
	echo "success=false" >> "$GITHUB_OUTPUT"
	echo "Detection found issues"
	fi

	ast_grep:
	needs: activation
	runs-on: ubuntu-latest
	outputs:
	found_patterns: ${{ steps.detect.outputs.found_patterns }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
	with:
	persist-credentials: false
	- name: Install ast-grep
	run: \|
	# Install ast-grep using cargo for better version control and security
	cargo install ast-grep --locked
	echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
	- name: Detect Go patterns
	id: detect
	run: \|
	# Run ast-grep to detect json:"-" pattern in Go files
	if sg --pattern 'json:"-"' --lang go . > /tmp/ast-grep-results.txt 2>&1; then
	if [ -s /tmp/ast-grep-results.txt ]; then
	echo "found_patterns=true" >> "$GITHUB_OUTPUT"
	echo "::notice::Found Go patterns matching json:\"-\""
	cat /tmp/ast-grep-results.txt
	else
	echo "found_patterns=false" >> "$GITHUB_OUTPUT"
	echo "::notice::No Go patterns matching json:\"-\" found"
	fi
	else
	# ast-grep returns non-zero when no matches found
	echo "found_patterns=false" >> "$GITHUB_OUTPUT"
	echo "::notice::No Go patterns matching json:\"-\" found"
	fi

	conclusion:
	needs:
	- activation
	- agent
	- safe_outputs
	if: (always()) && (needs.agent.result != 'skipped')
	runs-on: ubuntu-slim
	permissions:
	contents: read
	issues: write
	outputs:
	noop_message: ${{ steps.noop.outputs.noop_message }}
	tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
	total_count: ${{ steps.missing_tool.outputs.total_count }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: /opt/gh-aw/actions
	- name: Download agent output artifact
	continue-on-error: true
	uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
	with:
	name: agent-output
	path: /tmp/gh-aw/safeoutputs/
	- name: Setup agent output environment variable
	run: \|
	mkdir -p /tmp/gh-aw/safeoutputs/
	find "/tmp/gh-aw/safeoutputs/" -type f -print
	echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
	- name: Process No-Op Messages
	id: noop
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_NOOP_MAX: "1"
	GH_AW_WORKFLOW_NAME: "Go Pattern Detector"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/noop.cjs');
	await main();
	- name: Record Missing Tool
	id: missing_tool
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_WORKFLOW_NAME: "Go Pattern Detector"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/missing_tool.cjs');
	await main();
	- name: Handle Agent Failure
	id: handle_agent_failure
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_WORKFLOW_NAME: "Go Pattern Detector"
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
	GH_AW_WORKFLOW_ID: "go-pattern-detector"
	GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }}
	GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
	GH_AW_GROUP_REPORTS: "false"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs');
	await main();
	- name: Handle No-Op Message
	id: handle_noop_message
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_WORKFLOW_NAME: "Go Pattern Detector"
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
	GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }}
	GH_AW_NOOP_REPORT_AS_ISSUE: "true"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs');
	await main();

	safe_outputs:
	needs: agent
	if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.agent.outputs.detection_success == 'true')
	runs-on: ubuntu-slim
	permissions:
	contents: read
	issues: write
	timeout-minutes: 15
	env:
	GH_AW_ENGINE_ID: "claude"
	GH_AW_WORKFLOW_ID: "go-pattern-detector"
	GH_AW_WORKFLOW_NAME: "Go Pattern Detector"
	outputs:
	code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
	code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
	create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }}
	create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }}
	process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }}
	process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: /opt/gh-aw/actions
	- name: Download agent output artifact
	continue-on-error: true
	uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
	with:
	name: agent-output
	path: /tmp/gh-aw/safeoutputs/
	- name: Setup agent output environment variable
	run: \|
	mkdir -p /tmp/gh-aw/safeoutputs/
	find "/tmp/gh-aw/safeoutputs/" -type f -print
	echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
	- name: Process Safe Outputs
	id: process_safe_outputs
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"expires\":48,\"labels\":[\"code-quality\",\"ast-grep\",\"cookie\"],\"max\":1,\"title_prefix\":\"[ast-grep] \"},\"missing_data\":{},\"missing_tool\":{}}"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs');
	await main();
	- name: Upload safe output items manifest
	if: always()
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
	with:
	name: safe-output-items
	path: /tmp/safe-output-items.jsonl
	if-no-files-found: warn

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Go Pattern Detector #486

Workflow file

Go Pattern Detector #486

Uh oh!

Workflow file for this run