Skip to content

Commit bba23ef

Browse files
authored
feat: add GHES-compatible artifact action versions via feature flag (#31664)
1 parent d4ffde6 commit bba23ef

37 files changed

Lines changed: 706 additions & 70 deletions

cmd/gh-aw/main.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -291,6 +291,7 @@ Examples:
291291
approve, _ := cmd.Flags().GetBool("approve")
292292
validateImages, _ := cmd.Flags().GetBool("validate-images")
293293
priorManifestFile, _ := cmd.Flags().GetString("prior-manifest-file")
294+
ghes, _ := cmd.Flags().GetBool("ghes")
294295
verbose, _ := cmd.Flags().GetBool("verbose")
295296
if err := validateEngine(engineOverride); err != nil {
296297
return err
@@ -349,6 +350,7 @@ Examples:
349350
Approve: approve,
350351
ValidateImages: validateImages,
351352
PriorManifestFile: priorManifestFile,
353+
GHESCompat: ghes,
352354
}
353355
if _, err := cli.CompileWorkflows(cmd.Context(), config); err != nil {
354356
// Return error as-is without additional formatting
@@ -701,6 +703,7 @@ Use "` + string(constants.CLIExtensionPrefix) + ` help all" to show help for all
701703
compileCmd.Flags().Bool("approve", false, "Approve all safe update changes. When strict mode is active (the default), the compiler emits warnings for new restricted secrets or unapproved action additions/removals not present in the existing gh-aw-manifest. Use this flag to approve and skip safe update enforcement")
702704
compileCmd.Flags().Bool("validate-images", false, "Require Docker to be available for container image validation. Without this flag, container image validation is silently skipped when Docker is not installed or the daemon is not running")
703705
compileCmd.Flags().String("prior-manifest-file", "", "Path to a JSON file containing pre-cached gh-aw-manifests (map[lockFile]*GHAWManifest); used by the MCP server to supply a tamper-proof manifest baseline captured at startup")
706+
compileCmd.Flags().Bool("ghes", false, "Enable GitHub Enterprise Server (GHES) compatibility mode: emit upload-artifact@v3 and download-artifact@v3 instead of the latest v7/v8 which are not supported on GHES. Overrides the aw.json ghes field")
704707
if err := compileCmd.Flags().MarkHidden("prior-manifest-file"); err != nil {
705708
// Non-fatal: flag is registered even if MarkHidden fails
706709
_ = err

docs/enterprise-configuration.md

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -225,6 +225,62 @@ In GitHub Actions workflow runs:
225225
2. Verify the GitHub token has appropriate scopes for your enterprise tenant
226226
3. Use `mode: remote` for the GitHub MCP server when on GHEC/GHES
227227

228+
## GHES Artifact Compatibility
229+
230+
GitHub Enterprise Server (GHES) does not support `@actions/artifact` v2.0.0+, which means
231+
`actions/upload-artifact@v4+` and `actions/download-artifact@v4+` fail with a
232+
`GHESNotSupportedError` on enterprise instances.
233+
234+
### Automatic Detection (Recommended)
235+
236+
When you run `gh aw init` inside a repository whose git remote points to a GHES instance,
237+
the CLI automatically detects the deployment and writes `ghes: true` to
238+
`.github/workflows/aw.json`:
239+
240+
```bash
241+
gh aw init
242+
```
243+
244+
Output:
245+
246+
```
247+
GHES deployment detected (ghes.example.com): set ghes: true in .github/workflows/aw.json for artifact compatibility
248+
```
249+
250+
### Manual Configuration
251+
252+
**Option 1: aw.json (repo-wide default)**
253+
254+
Add `ghes: true` to `.github/workflows/aw.json` to enable GHES compatibility for all
255+
workflows compiled in the repository:
256+
257+
```json
258+
{
259+
"ghes": true
260+
}
261+
```
262+
263+
**Option 2: --ghes compile flag**
264+
265+
Pass `--ghes` to `gh aw compile` for a one-off compilation without modifying `aw.json`:
266+
267+
```bash
268+
gh aw compile --ghes my-workflow.md
269+
```
270+
271+
The CLI flag takes precedence over the `aw.json` setting.
272+
273+
### What Changes
274+
275+
When GHES compatibility mode is active, the compiler emits:
276+
277+
| Action | Default | GHES compatible |
278+
|--------|---------|-----------------|
279+
| `actions/upload-artifact` | `@v7` (latest) | `@v3.2.2` |
280+
| `actions/download-artifact` | `@v4` (latest) | `@v3.1.0` |
281+
282+
All other actions are unaffected.
283+
228284
## Related Documentation
229285

230286
- [AWF Firewall Configuration](https://github.com/github/gh-aw-firewall) - Detailed AWF documentation

docs/src/content/docs/agent-factory-status.mdx

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,9 @@ These are experimental agentic workflows used by the GitHub Next team to learn,
1616
| [Agent Performance Analyzer - Meta-Orchestrator](https://github.com/github/gh-aw/blob/main/.github/workflows/agent-performance-analyzer.md) | copilot | [![Agent Performance Analyzer - Meta-Orchestrator](https://github.com/github/gh-aw/actions/workflows/agent-performance-analyzer.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/agent-performance-analyzer.lock.yml) | - | - |
1717
| [Agent Persona Explorer](https://github.com/github/gh-aw/blob/main/.github/workflows/agent-persona-explorer.md) | copilot | [![Agent Persona Explorer](https://github.com/github/gh-aw/actions/workflows/agent-persona-explorer.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/agent-persona-explorer.lock.yml) | - | - |
1818
| [Agentic Workflow Audit Agent](https://github.com/github/gh-aw/blob/main/.github/workflows/audit-workflows.md) | claude | [![Agentic Workflow Audit Agent](https://github.com/github/gh-aw/actions/workflows/audit-workflows.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/audit-workflows.lock.yml) | - | - |
19+
| [Agentic Workflow Portfolio Yield](https://github.com/github/gh-aw/blob/main/.github/workflows/aw-portfolio-yield.md) | copilot | [![Agentic Workflow Portfolio Yield](https://github.com/github/gh-aw/actions/workflows/aw-portfolio-yield.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/aw-portfolio-yield.lock.yml) | - | - |
1920
| [AI Moderator](https://github.com/github/gh-aw/blob/main/.github/workflows/ai-moderator.md) | codex | [![AI Moderator](https://github.com/github/gh-aw/actions/workflows/ai-moderator.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/ai-moderator.lock.yml) | - | - |
20-
| [Approach Validator](https://github.com/github/gh-aw/blob/main/.github/workflows/approach-validator.md) | claude | [![Approach Validator](https://github.com/github/gh-aw/actions/workflows/approach-validator.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/approach-validator.lock.yml) | - | - |
21+
| [Approach Validator](https://github.com/github/gh-aw/blob/main/.github/workflows/approach-validator.md) | claude | [![Approach Validator](https://github.com/github/gh-aw/actions/workflows/approach-validator.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/approach-validator.lock.yml) | - | `/approach` |
2122
| [Archie](https://github.com/github/gh-aw/blob/main/.github/workflows/archie.md) | copilot | [![Archie](https://github.com/github/gh-aw/actions/workflows/archie.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/archie.lock.yml) | - | `/archie` |
2223
| [Architecture Diagram Generator](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-architecture-diagram.md) | copilot | [![Architecture Diagram Generator](https://github.com/github/gh-aw/actions/workflows/daily-architecture-diagram.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-architecture-diagram.lock.yml) | - | - |
2324
| [Architecture Guardian](https://github.com/github/gh-aw/blob/main/.github/workflows/architecture-guardian.md) | copilot | [![Architecture Guardian](https://github.com/github/gh-aw/actions/workflows/architecture-guardian.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/architecture-guardian.lock.yml) | - | - |
@@ -105,8 +106,10 @@ These are experimental agentic workflows used by the GitHub Next team to learn,
105106
| [DeepReport - Intelligence Gathering Agent](https://github.com/github/gh-aw/blob/main/.github/workflows/deep-report.md) | claude | [![DeepReport - Intelligence Gathering Agent](https://github.com/github/gh-aw/actions/workflows/deep-report.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/deep-report.lock.yml) | `daily around 15:00 on weekdays` | - |
106107
| [Delight](https://github.com/github/gh-aw/blob/main/.github/workflows/delight.md) | copilot | [![Delight](https://github.com/github/gh-aw/actions/workflows/delight.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/delight.lock.yml) | - | - |
107108
| [Dependabot Burner](https://github.com/github/gh-aw/blob/main/.github/workflows/dependabot-burner.md) | copilot | [![Dependabot Burner](https://github.com/github/gh-aw/actions/workflows/dependabot-burner.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/dependabot-burner.lock.yml) | - | - |
109+
| [Dependabot Campaign](https://github.com/github/gh-aw/blob/main/.github/workflows/dependabot-campaign.md) | copilot | [![Dependabot Campaign](https://github.com/github/gh-aw/actions/workflows/dependabot-campaign.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/dependabot-campaign.lock.yml) | - | - |
108110
| [Dependabot Dependency Checker](https://github.com/github/gh-aw/blob/main/.github/workflows/dependabot-go-checker.md) | copilot | [![Dependabot Dependency Checker](https://github.com/github/gh-aw/actions/workflows/dependabot-go-checker.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/dependabot-go-checker.lock.yml) | `20 9 * * 1,3,5` | - |
109111
| [Dependabot Local Repair](https://github.com/github/gh-aw/blob/main/.github/workflows/dependabot-repair.md) | copilot | [![Dependabot Local Repair](https://github.com/github/gh-aw/actions/workflows/dependabot-repair.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/dependabot-repair.lock.yml) | - | - |
112+
| [Dependabot Worker](https://github.com/github/gh-aw/blob/main/.github/workflows/dependabot-worker.md) | copilot | [![Dependabot Worker](https://github.com/github/gh-aw/actions/workflows/dependabot-worker.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/dependabot-worker.lock.yml) | - | - |
110113
| [Deployment Incident Monitor](https://github.com/github/gh-aw/blob/main/.github/workflows/deployment-incident-monitor.md) | copilot | [![Deployment Incident Monitor](https://github.com/github/gh-aw/actions/workflows/deployment-incident-monitor.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/deployment-incident-monitor.lock.yml) | - | - |
111114
| [Design Decision Gate 🏗️](https://github.com/github/gh-aw/blob/main/.github/workflows/design-decision-gate.md) | claude | [![Design Decision Gate 🏗️](https://github.com/github/gh-aw/actions/workflows/design-decision-gate.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/design-decision-gate.lock.yml) | - | - |
112115
| [Dev](https://github.com/github/gh-aw/blob/main/.github/workflows/dev.md) | pi | [![Dev](https://github.com/github/gh-aw/actions/workflows/dev.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/dev.lock.yml) | `daily around 9:00` | - |
@@ -146,6 +149,7 @@ These are experimental agentic workflows used by the GitHub Next team to learn,
146149
| [Mergefest](https://github.com/github/gh-aw/blob/main/.github/workflows/mergefest.md) | copilot | [![Mergefest](https://github.com/github/gh-aw/actions/workflows/mergefest.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/mergefest.lock.yml) | - | `/mergefest` |
147150
| [Metrics Collector - Infrastructure Agent](https://github.com/github/gh-aw/blob/main/.github/workflows/metrics-collector.md) | copilot | [![Metrics Collector - Infrastructure Agent](https://github.com/github/gh-aw/actions/workflows/metrics-collector.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/metrics-collector.lock.yml) | - | - |
148151
| [Multi-Device Docs Tester](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-multi-device-docs-tester.md) | claude | [![Multi-Device Docs Tester](https://github.com/github/gh-aw/actions/workflows/daily-multi-device-docs-tester.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-multi-device-docs-tester.lock.yml) | - | - |
152+
| [Necromancer](https://github.com/github/gh-aw/blob/main/.github/workflows/necromancer.md) | codex | [![Necromancer](https://github.com/github/gh-aw/actions/workflows/necromancer.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/necromancer.lock.yml) | - | - |
149153
| [Organization Health Report](https://github.com/github/gh-aw/blob/main/.github/workflows/org-health-report.md) | copilot | [![Organization Health Report](https://github.com/github/gh-aw/actions/workflows/org-health-report.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/org-health-report.lock.yml) | - | - |
150154
| [Package Specification Enforcer](https://github.com/github/gh-aw/blob/main/.github/workflows/spec-enforcer.md) | claude | [![Package Specification Enforcer](https://github.com/github/gh-aw/actions/workflows/spec-enforcer.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/spec-enforcer.lock.yml) | - | - |
151155
| [Package Specification Extractor](https://github.com/github/gh-aw/blob/main/.github/workflows/spec-extractor.md) | copilot | [![Package Specification Extractor](https://github.com/github/gh-aw/actions/workflows/spec-extractor.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/spec-extractor.lock.yml) | - | - |
Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
---
2+
title: Enterprise Configuration
3+
description: Configure GitHub Agentic Workflows for GitHub Enterprise Server (GHES) and GitHub Enterprise Cloud (GHEC), including artifact compatibility and CLI setup.
4+
sidebar:
5+
order: 51
6+
---
7+
8+
# Enterprise Configuration
9+
10+
This page covers configuration options specific to GitHub Enterprise Server (GHES) and GitHub Enterprise Cloud (GHEC) deployments.
11+
12+
## GitHub Enterprise Server (GHES) Compatibility
13+
14+
### Artifact Compatibility Mode
15+
16+
GHES instances running versions that predate `@actions/artifact` v2.0.0 support cannot use `actions/upload-artifact@v4+` or `actions/download-artifact@v4+`. Attempting to run compiled workflows on these instances produces a `GHESNotSupportedError`.
17+
18+
gh-aw includes a GHES compatibility mode that instructs the compiler to emit `upload-artifact@v3.2.2` and `download-artifact@v3.1.0` instead of the latest v4+ versions.
19+
20+
#### Enable via `aw.json` (recommended)
21+
22+
Set `ghes: true` in `.github/workflows/aw.json` to apply GHES compatibility to every workflow compiled in the repository:
23+
24+
```json
25+
{
26+
"ghes": true
27+
}
28+
```
29+
30+
#### Auto-detection with `gh aw init`
31+
32+
Running `gh aw init` inside a GHES repository automatically detects the deployment and writes `ghes: true` to `.github/workflows/aw.json`. No manual configuration is required.
33+
34+
#### Enable via CLI flag
35+
36+
Pass `--ghes` to `gh aw compile` for a one-off compilation without modifying `aw.json`:
37+
38+
```bash
39+
gh aw compile --ghes my-workflow.md
40+
```
41+
42+
> [!NOTE]
43+
> The `--ghes` flag only affects the current compilation. Use `aw.json` to apply GHES compatibility permanently across all workflows in the repository.
44+
45+
## GitHub Enterprise Server CLI Setup
46+
47+
For `gh` CLI configuration, host authentication, and `GH_HOST` setup on GHES, see [GitHub Enterprise Server Support](/gh-aw/setup/cli/#github-enterprise-server-support) in the CLI reference.
48+
49+
## Copilot Engine on GHES
50+
51+
For Copilot-specific prerequisites, licensing requirements, and firewall configuration on GHES, see [Copilot Engine Prerequisites on GHES](/gh-aw/troubleshooting/common-issues/#copilot-engine-prerequisites-on-ghes).

docs/src/content/docs/reference/faq.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -425,6 +425,28 @@ macOS runners (`macos-*`) are not currently supported in agentic workflows. Agen
425425

426426
Use `ubuntu-latest` (the default) or another Linux-based runner instead. For tasks that genuinely require macOS-specific tooling, consider running those steps in a regular GitHub Actions job that coordinates with your agentic workflow.
427427

428+
### Can I use agentic workflows on GitHub Enterprise Server (GHES)?
429+
430+
Yes, but you may need to enable GHES compatibility mode to avoid artifact errors. GHES instances that predate `@actions/artifact` v2.0.0 support cannot run `actions/upload-artifact@v4+` or `actions/download-artifact@v4+`. On those instances, compiled workflows fail with a `GHESNotSupportedError` because the compiler emits v4+ artifact actions by default.
431+
432+
Enable GHES compatibility mode so the compiler emits `upload-artifact@v3.2.2` and `download-artifact@v3.1.0` instead:
433+
434+
**`aw.json` (recommended — applies to all workflows in the repository):**
435+
436+
```json
437+
{
438+
"ghes": true
439+
}
440+
```
441+
442+
**`--ghes` flag (one-off compilation):**
443+
444+
```bash
445+
gh aw compile --ghes my-workflow.md
446+
```
447+
448+
Running `gh aw init` inside a GHES repository automatically detects the deployment and writes `ghes: true` to `.github/workflows/aw.json` for you. For `gh` CLI host setup and Copilot prerequisites on GHES, see [Enterprise Configuration](/gh-aw/reference/enterprise-configuration/).
449+
428450
### I'm not using a supported AI Engine (coding agent). What should I do?
429451

430452
If you want to use a coding agent that isn't currently supported (Copilot, Claude, Codex, Gemini, or Crush), you can contribute support to the [gh-aw repository](https://github.com/github/gh-aw), or open an issue describing your use case. See [AI Engines](/gh-aw/reference/engines/).

pkg/cli/compile_compiler_setup.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -171,6 +171,13 @@ func configureCompilerFlags(compiler *workflow.Compiler, config CompileConfig) {
171171
compileCompilerSetupLog.Print("Container image validation requires Docker (--validate-images flag)")
172172
}
173173

174+
// Set GHES compatibility mode when the --ghes flag is passed.
175+
// When enabled, the compiler emits v3.x artifact action pins for GHES compatibility.
176+
compiler.SetGHESCompat(config.GHESCompat)
177+
if config.GHESCompat {
178+
compileCompilerSetupLog.Print("GHES compatibility mode enabled via --ghes flag: artifact actions will use v3.x pins")
179+
}
180+
174181
// Load pre-cached manifests from file (written by MCP server at startup).
175182
// These take precedence over git HEAD / filesystem reads for safe update enforcement.
176183
if config.PriorManifestFile != "" {

pkg/cli/compile_config.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ type CompileConfig struct {
3333
Approve bool // Approve all safe update changes, skipping safe update enforcement regardless of strict mode setting.
3434
ValidateImages bool // Require Docker to be available for container image validation (fail instead of skipping when Docker is unavailable)
3535
PriorManifestFile string // Path to a JSON file containing pre-cached manifests (map[lockFile]*GHAWManifest) collected at MCP server startup; takes precedence over git HEAD / filesystem reads for safe update enforcement
36+
GHESCompat bool // Enable GHES compatibility mode: emit v3.x artifact action pins instead of v7/v8 (overrides aw.json ghes field)
3637
}
3738

3839
// CompileValidationError represents a single validation error or warning

0 commit comments

Comments
 (0)