From 90af464af3af040f21d39f8bdec990712d3a8e95 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 5 Mar 2026 16:10:48 +0000 Subject: [PATCH 01/29] Initial plan From 71a47863715708f372fb1ffa72f5b7c0e62cdf02 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 5 Mar 2026 16:14:27 +0000 Subject: [PATCH 02/29] Fix contradictory UBSan recovery flags in memory-safety.yml Co-authored-by: levnach <5377127+levnach@users.noreply.github.com> --- .github/workflows/memory-safety.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/memory-safety.yml b/.github/workflows/memory-safety.yml index d701542f0..2c8846d68 100644 --- a/.github/workflows/memory-safety.yml +++ b/.github/workflows/memory-safety.yml @@ -140,8 +140,8 @@ jobs: cd build-ubsan CC=clang CXX=clang++ cmake \ -DCMAKE_BUILD_TYPE=Debug \ - -DCMAKE_C_FLAGS="-fsanitize=undefined -fno-omit-frame-pointer -fno-sanitize-recover=all" \ - -DCMAKE_CXX_FLAGS="-fsanitize=undefined -fno-omit-frame-pointer -fno-sanitize-recover=all" \ + -DCMAKE_C_FLAGS="-fsanitize=undefined -fno-omit-frame-pointer -fsanitize-recover=all" \ + -DCMAKE_CXX_FLAGS="-fsanitize=undefined -fno-omit-frame-pointer -fsanitize-recover=all" \ -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=undefined" \ -DCMAKE_SHARED_LINKER_FLAGS="-fsanitize=undefined" \ -G Ninja ../ From d89532a33d90aae62fae0e9695b618701eca0b27 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 5 Mar 2026 17:58:32 +0000 Subject: [PATCH 03/29] Initial plan From 822f19819cd2c05ee9b7794dd823f3366602636b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 5 Mar 2026 17:59:50 +0000 Subject: [PATCH 04/29] Remove unreachable return false in match_ubv2s1 Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com> --- src/ast/rewriter/seq_eq_solver.cpp | 1 - 1 file changed, 1 deletion(-) diff --git a/src/ast/rewriter/seq_eq_solver.cpp b/src/ast/rewriter/seq_eq_solver.cpp index c6778c45e..e1ffae743 100644 --- a/src/ast/rewriter/seq_eq_solver.cpp +++ b/src/ast/rewriter/seq_eq_solver.cpp @@ -226,7 +226,6 @@ namespace seq { return e.ls.size() == 1 && e.rs.size() == 1 && seq.str.is_ubv2s(e.ls[0], a) && seq.str.is_ubv2s(e.rs[0], b); - return false; } bool eq_solver::reduce_ubv2s1(eqr const& e, eq_ptr& r) { From e8bfa10d290096929adeb624c4eb9c9ead15d18c Mon Sep 17 00:00:00 2001 From: Nikolaj Bjorner Date: Thu, 5 Mar 2026 16:00:46 -0800 Subject: [PATCH 05/29] test c3 Signed-off-by: Nikolaj Bjorner --- .github/agentics/qf-s-benchmark.md | 219 +++++ .github/workflows/qf-s-benchmark.lock.yml | 1030 +++++++++++++++++++++ .github/workflows/qf-s-benchmark.md | 38 + 3 files changed, 1287 insertions(+) create mode 100644 .github/agentics/qf-s-benchmark.md create mode 100644 .github/workflows/qf-s-benchmark.lock.yml create mode 100644 .github/workflows/qf-s-benchmark.md diff --git a/.github/agentics/qf-s-benchmark.md b/.github/agentics/qf-s-benchmark.md new file mode 100644 index 000000000..5bc61cb03 --- /dev/null +++ b/.github/agentics/qf-s-benchmark.md @@ -0,0 +1,219 @@ + + + +# QF_S String Solver Benchmark + +You are an AI agent that benchmarks the Z3 string solvers (`seq` and `nseq`) on QF_S SMT-LIB2 benchmarks from the `c3` branch, and publishes a summary report as a GitHub discussion. + +## Context + +- **Repository**: ${{ github.repository }} +- **Workspace**: ${{ github.workspace }} +- **Branch**: c3 (already checked out by the workflow setup step) + +## Phase 1: Build Z3 + +Build Z3 from the checked-out `c3` branch using CMake + Ninja. + +```bash +cd ${{ github.workspace }} + +# Install build dependencies if missing +sudo apt-get install -y ninja-build cmake python3 zstd 2>/dev/null || true + +# Configure the build +mkdir -p build +cd build +cmake .. -G Ninja -DCMAKE_BUILD_TYPE=Release 2>&1 | tail -20 + +# Build z3 binary (this takes ~15-17 minutes) +ninja -j$(nproc) z3 2>&1 | tail -30 + +# Verify the build succeeded +./z3 --version +``` + +If the build fails, report the error clearly and exit without proceeding. + +## Phase 2: Extract and Select Benchmark Files + +Extract the QF_S benchmark archive and randomly select 50 files. + +```bash +cd ${{ github.workspace }} + +# Extract the archive +mkdir -p /tmp/qfs_benchmarks +tar --zstd -xf tests/QF_S.tar.zst -C /tmp/qfs_benchmarks + +# List all .smt2 files +find /tmp/qfs_benchmarks -name "*.smt2" -type f > /tmp/all_qfs_files.txt +TOTAL_FILES=$(wc -l < /tmp/all_qfs_files.txt) +echo "Total QF_S files: $TOTAL_FILES" + +# Randomly select 50 files +shuf -n 50 /tmp/all_qfs_files.txt > /tmp/selected_files.txt +echo "Selected 50 files for benchmarking" +cat /tmp/selected_files.txt +``` + +## Phase 3: Run Benchmarks + +Run each of the 50 selected files with both string solvers. Use a 10-second timeout (`-T:10`). Also wrap each run with `time` to capture wall-clock duration. + +For each file, run: +1. `z3 smt.string_solver=seq -T:10 ` +2. `z3 smt.string_solver=nseq -T:10 ` + +Capture: +- **Verdict**: `sat`, `unsat`, `unknown`, `timeout` (if exit code indicates timeout), or `bug` (if z3 crashes / produces a non-standard result, or if seq and nseq disagree on sat vs unsat) +- **Time** (seconds): wall-clock time for the run + +Use a bash script to automate this: + +```bash +#!/usr/bin/env bash +set -euo pipefail + +Z3=${{ github.workspace }}/build/z3 +RESULTS=/tmp/benchmark_results.tsv +echo -e "file\tseq_verdict\tseq_time\tnseq_verdict\tnseq_time\tnotes" > "$RESULTS" + +run_z3() { + local solver="$1" + local file="$2" + local start end elapsed verdict output exit_code + + start=$(date +%s%3N) + output=$(timeout 12 "$Z3" "smt.string_solver=$solver" -T:10 "$file" 2>&1) + exit_code=$? + end=$(date +%s%3N) + elapsed=$(echo "scale=3; ($end - $start) / 1000" | bc) + + # Parse verdict + if echo "$output" | grep -q "^unsat"; then + verdict="unsat" + elif echo "$output" | grep -q "^sat"; then + verdict="sat" + elif echo "$output" | grep -q "^unknown"; then + verdict="unknown" + elif [ "$exit_code" -eq 124 ]; then + verdict="timeout" + elif echo "$output" | grep -qi "error\|assertion\|segfault\|SIGABRT\|exception"; then + verdict="bug" + else + verdict="unknown" + fi + + echo "$verdict $elapsed" +} + +while IFS= read -r file; do + fname=$(basename "$file") + seq_result=$(run_z3 seq "$file") + nseq_result=$(run_z3 nseq "$file") + + seq_verdict=$(echo "$seq_result" | cut -d' ' -f1) + seq_time=$(echo "$seq_result" | cut -d' ' -f2) + nseq_verdict=$(echo "$nseq_result" | cut -d' ' -f1) + nseq_time=$(echo "$nseq_result" | cut -d' ' -f2) + + # Flag as bug if the two solvers disagree on sat vs unsat + notes="" + if { [ "$seq_verdict" = "sat" ] && [ "$nseq_verdict" = "unsat" ]; } || \ + { [ "$seq_verdict" = "unsat" ] && [ "$nseq_verdict" = "sat" ]; }; then + notes="SOUNDNESS_DISAGREEMENT" + fi + + echo -e "$fname\t$seq_verdict\t$seq_time\t$nseq_verdict\t$nseq_time\t$notes" >> "$RESULTS" + echo "[$fname] seq=$seq_verdict(${seq_time}s) nseq=$nseq_verdict(${nseq_time}s) $notes" +done < /tmp/selected_files.txt + +echo "Benchmark run complete. Results saved to $RESULTS" +``` + +Save this script to `/tmp/run_benchmarks.sh`, make it executable, and run it. + +## Phase 4: Generate Summary Report + +Read `/tmp/benchmark_results.tsv` and compute statistics. Then generate a Markdown report. + +Compute: +- **Total benchmarks**: 50 +- **Per solver (seq and nseq)**: count of sat / unsat / unknown / timeout / bug verdicts +- **Total time used**: sum of all times for each solver +- **Average time per benchmark**: total_time / 50 +- **Soundness disagreements**: files where seq says sat but nseq says unsat or vice versa (these are the most critical bugs) +- **Bugs / crashes**: files with error/crash verdicts + +Format the report as a GitHub Discussion post (GitHub-flavored Markdown): + +```markdown +### QF_S Benchmark Report — Z3 c3 branch + +**Date**: +**Branch**: c3 +**Benchmark set**: QF_S (50 randomly selected files from tests/QF_S.tar.zst) +**Timeout**: 10 seconds per benchmark (`-T:10`) + +--- + +### Summary + +| Metric | seq solver | nseq solver | +|--------|-----------|-------------| +| sat | X | X | +| unsat | X | X | +| unknown | X | X | +| timeout | X | X | +| bug/crash | X | X | +| **Total time (s)** | X.XXX | X.XXX | +| **Avg time/benchmark (s)** | X.XXX | X.XXX | + +**Soundness disagreements** (seq says sat, nseq says unsat or vice versa): N + +--- + +### Per-File Results + +| # | File | seq verdict | seq time (s) | nseq verdict | nseq time (s) | Notes | +|---|------|-------------|-------------|--------------|--------------|-------| +| 1 | benchmark_0001.smt2 | sat | 0.123 | sat | 0.456 | | +| ... | ... | ... | ... | ... | ... | ... | + +--- + +### Notable Issues + +#### Soundness Disagreements (Critical) + + +#### Crashes / Bugs + + +#### Slow Benchmarks (> 8s) + + +--- + +*Generated automatically by the QF_S Benchmark workflow on the c3 branch.* +``` + +## Phase 5: Post to GitHub Discussion + +Post the Markdown report as a new GitHub Discussion using the `create-discussion` safe output. + +- **Category**: "Agentic Workflows" +- **Title**: `[QF_S Benchmark] Z3 c3 branch — ` +- Close older discussions with the same title prefix to avoid clutter. + +## Guidelines + +- **Always build from c3 branch**: The workspace is already checked out on c3; don't change branches. +- **Handle build failures gracefully**: If Z3 fails to build, report the error and create a brief discussion noting the build failure. +- **Handle missing zstd**: If `tar --zstd` fails, try `zstd -d tests/QF_S.tar.zst --stdout | tar -x -C /tmp/qfs_benchmarks`. +- **Be precise with timing**: Use millisecond-precision timestamps and report times in seconds with 3 decimal places. +- **Distinguish timeout from unknown**: A timeout (process killed after 12s) is different from `(unknown)` returned by z3. +- **Report soundness bugs prominently**: If any benchmark shows seq=sat but nseq=unsat (or vice versa), highlight it as a critical finding. +- **Don't skip any file**: Run all 50 files even if some fail. +- **Large report**: If the per-file table is very long, put it in a `
` collapsible section. diff --git a/.github/workflows/qf-s-benchmark.lock.yml b/.github/workflows/qf-s-benchmark.lock.yml new file mode 100644 index 000000000..dd8bda43b --- /dev/null +++ b/.github/workflows/qf-s-benchmark.lock.yml @@ -0,0 +1,1030 @@ +# +# ___ _ _ +# / _ \ | | (_) +# | |_| | __ _ ___ _ __ | |_ _ ___ +# | _ |/ _` |/ _ \ '_ \| __| |/ __| +# | | | | (_| | __/ | | | |_| | (__ +# \_| |_/\__, |\___|_| |_|\__|_|\___| +# __/ | +# _ _ |___/ +# | | | | / _| | +# | | | | ___ _ __ _ __| |_| | _____ ____ +# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___| +# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ +# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ +# +# This file was automatically generated by gh-aw (v0.45.6). DO NOT EDIT. +# +# To update this file, edit the corresponding .md file and run: +# gh aw compile +# Not all edits will cause changes to this file. +# +# For more information: https://github.github.com/gh-aw/introduction/overview/ +# +# Run Z3 string solver benchmarks (seq vs nseq) on QF_S test suite from the c3 branch and post results as a GitHub discussion +# +# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"11e7fe880a77098e320d93169917eed62c8c0c2288cd5d3e54f9251ed6edbf7e"} + +name: "Qf S Benchmark" +"on": + schedule: + - cron: "52 4 * * 5" + # Friendly format: weekly (scattered) + workflow_dispatch: + +permissions: {} + +concurrency: + group: "gh-aw-${{ github.workflow }}" + +run-name: "Qf S Benchmark" + +jobs: + activation: + runs-on: ubuntu-slim + permissions: + contents: read + outputs: + comment_id: "" + comment_repo: "" + steps: + - name: Setup Scripts + uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + with: + destination: /opt/gh-aw/actions + - name: Checkout .github and .agents folders + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + sparse-checkout: | + .github + .agents + fetch-depth: 1 + persist-credentials: false + - name: Check workflow file timestamps + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_WORKFLOW_FILE: "qf-s-benchmark.lock.yml" + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + await main(); + - name: Create prompt with built-in context + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + run: | + bash /opt/gh-aw/actions/create_prompt_first.sh + cat << 'GH_AW_PROMPT_EOF' > "$GH_AW_PROMPT" + + GH_AW_PROMPT_EOF + cat "/opt/gh-aw/prompts/xpia.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" + cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" + + GitHub API Access Instructions + + The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations. + + + To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. + + Temporary IDs: Some safe output tools support a temporary ID field (usually named temporary_id) so you can reference newly-created items elsewhere in the SAME agent output (for example, using #aw_abc1 in a later body). + + **IMPORTANT - temporary_id format rules:** + - If you DON'T need to reference the item later, OMIT the temporary_id field entirely (it will be auto-generated if needed) + - If you DO need cross-references/chaining, you MUST match this EXACT validation regex: /^aw_[A-Za-z0-9]{3,8}$/i + - Format: aw_ prefix followed by 3 to 8 alphanumeric characters (A-Z, a-z, 0-9, case-insensitive) + - Valid alphanumeric characters: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 + - INVALID examples: aw_ab (too short), aw_123456789 (too long), aw_test-id (contains hyphen), aw_id_123 (contains underscore) + - VALID examples: aw_abc, aw_abc1, aw_Test123, aw_A1B2C3D4, aw_12345678 + - To generate valid IDs: use 3-8 random alphanumeric characters or omit the field to let the system auto-generate + + Do NOT invent other aw_* formats — downstream steps will reject them with validation errors matching against /^aw_[A-Za-z0-9]{3,8}$/i. + + Discover available tools from the safeoutputs MCP server. + + **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. + + **Note**: If you made no other safe output tool calls during this workflow execution, call the "noop" tool to provide a status message indicating completion or that no actions were needed. + + + + The following GitHub context information is available for this workflow: + {{#if __GH_AW_GITHUB_ACTOR__ }} + - **actor**: __GH_AW_GITHUB_ACTOR__ + {{/if}} + {{#if __GH_AW_GITHUB_REPOSITORY__ }} + - **repository**: __GH_AW_GITHUB_REPOSITORY__ + {{/if}} + {{#if __GH_AW_GITHUB_WORKSPACE__ }} + - **workspace**: __GH_AW_GITHUB_WORKSPACE__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }} + - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }} + - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }} + - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }} + - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__ + {{/if}} + {{#if __GH_AW_GITHUB_RUN_ID__ }} + - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__ + {{/if}} + + + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" + + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import .github/workflows/qf-s-benchmark.md}} + GH_AW_PROMPT_EOF + - name: Interpolate variables and render templates + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + await main(); + - name: Substitute placeholders + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} + GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + + // Call the substitution function + return await substitutePlaceholders({ + file: process.env.GH_AW_PROMPT, + substitutions: { + GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, + GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER, + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER, + GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, + GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, + GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE, + GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: process.env.GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED, + GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: process.env.GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND + } + }); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + - name: Print prompt + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/print_prompt_summary.sh + - name: Upload prompt artifact + if: success() + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: + name: prompt + path: /tmp/gh-aw/aw-prompts/prompt.txt + retention-days: 1 + + agent: + needs: activation + runs-on: ubuntu-latest + permissions: read-all + concurrency: + group: "gh-aw-copilot-${{ github.workflow }}" + env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_WORKFLOW_ID_SANITIZED: qfsbenchmark + outputs: + checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} + has_patch: ${{ steps.collect_output.outputs.has_patch }} + model: ${{ steps.generate_aw_info.outputs.model }} + output: ${{ steps.collect_output.outputs.output }} + output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} + steps: + - name: Setup Scripts + uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + with: + destination: /opt/gh-aw/actions + - name: Create gh-aw temp directory + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + - name: Checkout c3 branch + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: + fetch-depth: 1 + persist-credentials: false + ref: c3 + + - name: Configure Git credentials + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" + - name: Checkout PR branch + id: checkout-pr + if: | + github.event.pull_request + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + await main(); + - name: Generate agentic run info + id: generate_aw_info + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const fs = require('fs'); + + const awInfo = { + engine_id: "copilot", + engine_name: "GitHub Copilot CLI", + model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", + version: "", + agent_version: "0.0.410", + cli_version: "v0.45.6", + workflow_name: "Qf S Benchmark", + experimental: false, + supports_tools_allowlist: true, + run_id: context.runId, + run_number: context.runNumber, + run_attempt: process.env.GITHUB_RUN_ATTEMPT, + repository: context.repo.owner + '/' + context.repo.repo, + ref: context.ref, + sha: context.sha, + actor: context.actor, + event_name: context.eventName, + staged: false, + allowed_domains: ["defaults"], + firewall_enabled: true, + awf_version: "v0.19.1", + awmg_version: "v0.1.4", + steps: { + firewall: "squid" + }, + created_at: new Date().toISOString() + }; + + // Write to /tmp/gh-aw directory to avoid inclusion in PR + const tmpPath = '/tmp/gh-aw/aw_info.json'; + fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2)); + console.log('Generated aw_info.json at:', tmpPath); + console.log(JSON.stringify(awInfo, null, 2)); + + // Set model as output for reuse in other steps/jobs + core.setOutput('model', awInfo.model); + - name: Validate COPILOT_GITHUB_TOKEN secret + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + env: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + - name: Install GitHub Copilot CLI + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.410 + - name: Install awf binary + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.19.1 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + with: + script: | + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.19.1 ghcr.io/github/gh-aw-firewall/squid:0.19.1 ghcr.io/github/gh-aw-mcpg:v0.1.4 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + - name: Write Safe Outputs Config + run: | + mkdir -p /opt/gh-aw/safeoutputs + mkdir -p /tmp/gh-aw/safeoutputs + mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs + cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + {"create_discussion":{"expires":168,"max":1},"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + GH_AW_SAFE_OUTPUTS_CONFIG_EOF + cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + [ + { + "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[QF_S Benchmark] \". Discussions will be created in category \"agentic workflows\".", + "inputSchema": { + "additionalProperties": false, + "properties": { + "body": { + "description": "Discussion content in Markdown. Do NOT repeat the title as a heading since it already appears as the discussion's h1. Include all relevant context, findings, or questions.", + "type": "string" + }, + "category": { + "description": "Discussion category by name (e.g., 'General'), slug (e.g., 'general'), or ID. If omitted, uses the first available category. Category must exist in the repository.", + "type": "string" + }, + "title": { + "description": "Concise discussion title summarizing the topic. The title appears as the main heading, so keep it brief and descriptive.", + "type": "string" + } + }, + "required": [ + "title", + "body" + ], + "type": "object" + }, + "name": "create_discussion" + }, + { + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "reason": { + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", + "type": "string" + }, + "tool": { + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "type": "string" + } + }, + "required": [ + "reason" + ], + "type": "object" + }, + "name": "missing_tool" + }, + { + "description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "message": { + "description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing').", + "type": "string" + } + }, + "required": [ + "message" + ], + "type": "object" + }, + "name": "noop" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" + } + ] + GH_AW_SAFE_OUTPUTS_TOOLS_EOF + cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + { + "create_discussion": { + "defaultMax": 1, + "fields": { + "body": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + }, + "category": { + "type": "string", + "sanitize": true, + "maxLength": 128 + }, + "repo": { + "type": "string", + "maxLength": 256 + }, + "title": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 128 + } + } + }, + "missing_tool": { + "defaultMax": 20, + "fields": { + "alternatives": { + "type": "string", + "sanitize": true, + "maxLength": 512 + }, + "reason": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 256 + }, + "tool": { + "type": "string", + "sanitize": true, + "maxLength": 128 + } + } + }, + "noop": { + "defaultMax": 1, + "fields": { + "message": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + } + } + } + } + GH_AW_SAFE_OUTPUTS_VALIDATION_EOF + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + # Mask immediately to prevent timing vulnerabilities + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + echo "::add-mask::${API_KEY}" + + PORT=3001 + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + DEBUG: '*' + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export DEBUG + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP Gateway + id: start-mcp-gateway + env: + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} + GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + set -eo pipefail + mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export MCP_GATEWAY_API_KEY + export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads" + mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}" + export DEBUG="*" + + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.4' + + mkdir -p /home/runner/.copilot + cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + { + "mcpServers": { + "github": { + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.3", + "env": { + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" + } + }, + "safeoutputs": { + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + } + } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}", + "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" + } + } + GH_AW_MCP_CONFIG_EOF + - name: Generate workflow overview + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); + await generateWorkflowOverview(core); + - name: Download prompt artifact + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + with: + name: prompt + path: /tmp/gh-aw/aw-prompts + - name: Clean git credentials + run: bash /opt/gh-aw/actions/clean_git_credentials.sh + - name: Execute GitHub Copilot CLI + id: agentic_execution + # Copilot CLI tool arguments (sorted): + timeout-minutes: 90 + run: | + set -o pipefail + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.19.1 --skip-pull \ + -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log + env: + COPILOT_AGENT_RUNNER_TYPE: STANDALONE + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json + GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_HEAD_REF: ${{ github.head_ref }} + GITHUB_REF_NAME: ${{ github.ref_name }} + GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} + GITHUB_WORKSPACE: ${{ github.workspace }} + XDG_CONFIG_HOME: /home/runner + - name: Configure Git credentials + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" + - name: Copy Copilot session state files to logs + if: always() + continue-on-error: true + run: | + # Copy Copilot session state files to logs folder for artifact collection + # This ensures they are in /tmp/gh-aw/ where secret redaction can scan them + SESSION_STATE_DIR="$HOME/.copilot/session-state" + LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs" + + if [ -d "$SESSION_STATE_DIR" ]; then + echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR" + mkdir -p "$LOGS_DIR" + cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null || true + echo "Session state files copied successfully" + else + echo "No session-state directory found at $SESSION_STATE_DIR" + fi + - name: Stop MCP Gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + - name: Redact secrets in logs + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + await main(); + env: + GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload Safe Outputs + if: always() + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: + name: safe-output + path: ${{ env.GH_AW_SAFE_OUTPUTS }} + if-no-files-found: warn + - name: Ingest agent output + id: collect_output + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + await main(); + - name: Upload sanitized agent output + if: always() && env.GH_AW_AGENT_OUTPUT + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: + name: agent-output + path: ${{ env.GH_AW_AGENT_OUTPUT }} + if-no-files-found: warn + - name: Upload engine output files + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: + name: agent_outputs + path: | + /tmp/gh-aw/sandbox/agent/logs/ + /tmp/gh-aw/redacted-urls.log + if-no-files-found: ignore + - name: Parse agent logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + await main(); + - name: Parse MCP Gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs + if: always() + continue-on-error: true + env: + AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) + if command -v awf &> /dev/null; then + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" + else + echo 'AWF binary not installed, skipping firewall log summary' + fi + - name: Upload agent artifacts + if: always() + continue-on-error: true + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: + name: agent-artifacts + path: | + /tmp/gh-aw/aw-prompts/prompt.txt + /tmp/gh-aw/aw_info.json + /tmp/gh-aw/mcp-logs/ + /tmp/gh-aw/sandbox/firewall/logs/ + /tmp/gh-aw/agent-stdio.log + /tmp/gh-aw/agent/ + if-no-files-found: ignore + + conclusion: + needs: + - activation + - agent + - detection + - safe_outputs + if: (always()) && (needs.agent.result != 'skipped') + runs-on: ubuntu-slim + permissions: + contents: read + discussions: write + issues: write + outputs: + noop_message: ${{ steps.noop.outputs.noop_message }} + tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} + total_count: ${{ steps.missing_tool.outputs.total_count }} + steps: + - name: Setup Scripts + uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + with: + destination: /opt/gh-aw/actions + - name: Download agent output artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + with: + name: agent-output + path: /tmp/gh-aw/safeoutputs/ + - name: Setup agent output environment variable + run: | + mkdir -p /tmp/gh-aw/safeoutputs/ + find "/tmp/gh-aw/safeoutputs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Process No-Op Messages + id: noop + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_NOOP_MAX: 1 + GH_AW_WORKFLOW_NAME: "Qf S Benchmark" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); + await main(); + - name: Record Missing Tool + id: missing_tool + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_MISSING_TOOL_CREATE_ISSUE: "true" + GH_AW_MISSING_TOOL_TITLE_PREFIX: "[missing tool]" + GH_AW_WORKFLOW_NAME: "Qf S Benchmark" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Qf S Benchmark" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_WORKFLOW_ID: "qf-s-benchmark" + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} + GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} + GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); + - name: Handle No-Op Message + id: handle_noop_message + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Qf S Benchmark" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }} + GH_AW_NOOP_REPORT_AS_ISSUE: "true" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + await main(); + + detection: + needs: agent + if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' + runs-on: ubuntu-latest + permissions: {} + concurrency: + group: "gh-aw-copilot-${{ github.workflow }}" + timeout-minutes: 10 + outputs: + success: ${{ steps.parse_results.outputs.success }} + steps: + - name: Setup Scripts + uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + with: + destination: /opt/gh-aw/actions + - name: Download agent artifacts + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + with: + name: agent-artifacts + path: /tmp/gh-aw/threat-detection/ + - name: Download agent output artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + with: + name: agent-output + path: /tmp/gh-aw/threat-detection/ + - name: Echo agent output types + env: + AGENT_OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }} + run: | + echo "Agent output-types: $AGENT_OUTPUT_TYPES" + - name: Setup threat detection + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + WORKFLOW_NAME: "Qf S Benchmark" + WORKFLOW_DESCRIPTION: "Run Z3 string solver benchmarks (seq vs nseq) on QF_S test suite from the c3 branch and post results as a GitHub discussion" + HAS_PATCH: ${{ needs.agent.outputs.has_patch }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + await main(); + - name: Ensure threat-detection directory and log + run: | + mkdir -p /tmp/gh-aw/threat-detection + touch /tmp/gh-aw/threat-detection/detection.log + - name: Validate COPILOT_GITHUB_TOKEN secret + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + env: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + - name: Install GitHub Copilot CLI + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.410 + - name: Execute GitHub Copilot CLI + id: agentic_execution + # Copilot CLI tool arguments (sorted): + # --allow-tool shell(cat) + # --allow-tool shell(grep) + # --allow-tool shell(head) + # --allow-tool shell(jq) + # --allow-tool shell(ls) + # --allow-tool shell(tail) + # --allow-tool shell(wc) + timeout-minutes: 20 + run: | + set -o pipefail + COPILOT_CLI_INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" + mkdir -p /tmp/ + mkdir -p /tmp/gh-aw/ + mkdir -p /tmp/gh-aw/agent/ + mkdir -p /tmp/gh-aw/sandbox/agent/logs/ + copilot --add-dir /tmp/ --add-dir /tmp/gh-aw/ --add-dir /tmp/gh-aw/agent/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-tool 'shell(cat)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(jq)' --allow-tool 'shell(ls)' --allow-tool 'shell(tail)' --allow-tool 'shell(wc)' --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$COPILOT_CLI_INSTRUCTION"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"} 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log + env: + COPILOT_AGENT_RUNNER_TYPE: STANDALONE + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + GH_AW_MODEL_DETECTION_COPILOT: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }} + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GITHUB_HEAD_REF: ${{ github.head_ref }} + GITHUB_REF_NAME: ${{ github.ref_name }} + GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} + GITHUB_WORKSPACE: ${{ github.workspace }} + XDG_CONFIG_HOME: /home/runner + - name: Parse threat detection results + id: parse_results + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + await main(); + - name: Upload threat detection log + if: always() + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: + name: threat-detection.log + path: /tmp/gh-aw/threat-detection/detection.log + if-no-files-found: ignore + + safe_outputs: + needs: + - agent + - detection + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.detection.outputs.success == 'true') + runs-on: ubuntu-slim + permissions: + contents: read + discussions: write + issues: write + timeout-minutes: 15 + env: + GH_AW_ENGINE_ID: "copilot" + GH_AW_WORKFLOW_ID: "qf-s-benchmark" + GH_AW_WORKFLOW_NAME: "Qf S Benchmark" + outputs: + create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }} + create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }} + process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} + process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} + steps: + - name: Setup Scripts + uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + with: + destination: /opt/gh-aw/actions + - name: Download agent output artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + with: + name: agent-output + path: /tmp/gh-aw/safeoutputs/ + - name: Setup agent output environment variable + run: | + mkdir -p /tmp/gh-aw/safeoutputs/ + find "/tmp/gh-aw/safeoutputs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Process Safe Outputs + id: process_safe_outputs + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_discussion\":{\"category\":\"agentic workflows\",\"close_older_discussions\":true,\"expires\":168,\"fallback_to_issue\":true,\"max\":1,\"title_prefix\":\"[QF_S Benchmark] \"},\"missing_data\":{},\"missing_tool\":{}}" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + await main(); + diff --git a/.github/workflows/qf-s-benchmark.md b/.github/workflows/qf-s-benchmark.md new file mode 100644 index 000000000..57f6dee60 --- /dev/null +++ b/.github/workflows/qf-s-benchmark.md @@ -0,0 +1,38 @@ +--- +description: Run Z3 string solver benchmarks (seq vs nseq) on QF_S test suite from the c3 branch and post results as a GitHub discussion + +on: + schedule: weekly + workflow_dispatch: + +permissions: read-all + +network: defaults + +tools: + bash: true + github: + toolsets: [default] + +safe-outputs: + create-discussion: + title-prefix: "[QF_S Benchmark] " + category: "Agentic Workflows" + close-older-discussions: true + missing-tool: + create-issue: true + +timeout-minutes: 90 + +steps: + - name: Checkout c3 branch + uses: actions/checkout@v5 + with: + ref: c3 + fetch-depth: 1 + persist-credentials: false + +--- + + +@./agentics/qf-s-benchmark.md From 489b34a1245b3f254a91ad7d09ea0c93c3cdab59 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Mar 2026 00:02:10 +0000 Subject: [PATCH 06/29] Initial plan From ea4ee111178021a58f12b96209436e7759c86db2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Mar 2026 00:05:35 +0000 Subject: [PATCH 07/29] Rename Qf S Benchmark to ZIPT Benchmark in workflow files Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com> --- .github/agentics/qf-s-benchmark.md | 8 ++++---- .github/workflows/qf-s-benchmark.lock.yml | 22 +++++++++++----------- .github/workflows/qf-s-benchmark.md | 2 +- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/agentics/qf-s-benchmark.md b/.github/agentics/qf-s-benchmark.md index 5bc61cb03..9a5b46fbc 100644 --- a/.github/agentics/qf-s-benchmark.md +++ b/.github/agentics/qf-s-benchmark.md @@ -1,7 +1,7 @@ -# QF_S String Solver Benchmark +# ZIPT String Solver Benchmark You are an AI agent that benchmarks the Z3 string solvers (`seq` and `nseq`) on QF_S SMT-LIB2 benchmarks from the `c3` branch, and publishes a summary report as a GitHub discussion. @@ -149,7 +149,7 @@ Compute: Format the report as a GitHub Discussion post (GitHub-flavored Markdown): ```markdown -### QF_S Benchmark Report — Z3 c3 branch +### ZIPT Benchmark Report — Z3 c3 branch **Date**: **Branch**: c3 @@ -196,7 +196,7 @@ Format the report as a GitHub Discussion post (GitHub-flavored Markdown): --- -*Generated automatically by the QF_S Benchmark workflow on the c3 branch.* +*Generated automatically by the ZIPT Benchmark workflow on the c3 branch.* ``` ## Phase 5: Post to GitHub Discussion @@ -204,7 +204,7 @@ Format the report as a GitHub Discussion post (GitHub-flavored Markdown): Post the Markdown report as a new GitHub Discussion using the `create-discussion` safe output. - **Category**: "Agentic Workflows" -- **Title**: `[QF_S Benchmark] Z3 c3 branch — ` +- **Title**: `[ZIPT Benchmark] Z3 c3 branch — ` - Close older discussions with the same title prefix to avoid clutter. ## Guidelines diff --git a/.github/workflows/qf-s-benchmark.lock.yml b/.github/workflows/qf-s-benchmark.lock.yml index dd8bda43b..334b7aaf7 100644 --- a/.github/workflows/qf-s-benchmark.lock.yml +++ b/.github/workflows/qf-s-benchmark.lock.yml @@ -25,7 +25,7 @@ # # gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"11e7fe880a77098e320d93169917eed62c8c0c2288cd5d3e54f9251ed6edbf7e"} -name: "Qf S Benchmark" +name: "ZIPT Benchmark" "on": schedule: - cron: "52 4 * * 5" @@ -37,7 +37,7 @@ permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}" -run-name: "Qf S Benchmark" +run-name: "ZIPT Benchmark" jobs: activation: @@ -293,7 +293,7 @@ jobs: version: "", agent_version: "0.0.410", cli_version: "v0.45.6", - workflow_name: "Qf S Benchmark", + workflow_name: "ZIPT Benchmark", experimental: false, supports_tools_allowlist: true, run_id: context.runId, @@ -355,7 +355,7 @@ jobs: cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { - "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[QF_S Benchmark] \". Discussions will be created in category \"agentic workflows\".", + "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[ZIPT Benchmark] \". Discussions will be created in category \"agentic workflows\".", "inputSchema": { "additionalProperties": false, "properties": { @@ -816,7 +816,7 @@ jobs: env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_NOOP_MAX: 1 - GH_AW_WORKFLOW_NAME: "Qf S Benchmark" + GH_AW_WORKFLOW_NAME: "ZIPT Benchmark" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -831,7 +831,7 @@ jobs: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_MISSING_TOOL_CREATE_ISSUE: "true" GH_AW_MISSING_TOOL_TITLE_PREFIX: "[missing tool]" - GH_AW_WORKFLOW_NAME: "Qf S Benchmark" + GH_AW_WORKFLOW_NAME: "ZIPT Benchmark" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -844,7 +844,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_WORKFLOW_NAME: "Qf S Benchmark" + GH_AW_WORKFLOW_NAME: "ZIPT Benchmark" GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} GH_AW_WORKFLOW_ID: "qf-s-benchmark" @@ -864,7 +864,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_WORKFLOW_NAME: "Qf S Benchmark" + GH_AW_WORKFLOW_NAME: "ZIPT Benchmark" GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }} @@ -912,7 +912,7 @@ jobs: - name: Setup threat detection uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - WORKFLOW_NAME: "Qf S Benchmark" + WORKFLOW_NAME: "ZIPT Benchmark" WORKFLOW_DESCRIPTION: "Run Z3 string solver benchmarks (seq vs nseq) on QF_S test suite from the c3 branch and post results as a GitHub discussion" HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: @@ -992,7 +992,7 @@ jobs: env: GH_AW_ENGINE_ID: "copilot" GH_AW_WORKFLOW_ID: "qf-s-benchmark" - GH_AW_WORKFLOW_NAME: "Qf S Benchmark" + GH_AW_WORKFLOW_NAME: "ZIPT Benchmark" outputs: create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }} create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }} @@ -1019,7 +1019,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_discussion\":{\"category\":\"agentic workflows\",\"close_older_discussions\":true,\"expires\":168,\"fallback_to_issue\":true,\"max\":1,\"title_prefix\":\"[QF_S Benchmark] \"},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_discussion\":{\"category\":\"agentic workflows\",\"close_older_discussions\":true,\"expires\":168,\"fallback_to_issue\":true,\"max\":1,\"title_prefix\":\"[ZIPT Benchmark] \"},\"missing_data\":{},\"missing_tool\":{}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/qf-s-benchmark.md b/.github/workflows/qf-s-benchmark.md index 57f6dee60..60c59a9aa 100644 --- a/.github/workflows/qf-s-benchmark.md +++ b/.github/workflows/qf-s-benchmark.md @@ -16,7 +16,7 @@ tools: safe-outputs: create-discussion: - title-prefix: "[QF_S Benchmark] " + title-prefix: "[ZIPT Benchmark] " category: "Agentic Workflows" close-older-discussions: true missing-tool: From 8a146a92ec64c70ee07cab1b81c52f3b5d1ecc93 Mon Sep 17 00:00:00 2001 From: Lev Nachmanson Date: Fri, 6 Mar 2026 08:54:34 -1000 Subject: [PATCH 08/29] fix: replace UNREACHABLE with VERIFY for non-COI constraint/monic violations in nra_solver The NRA solver's check() uses cone-of-influence (COI) to select a subset of constraints for nlsat. When nlsat returns l_true, the model is validated against all constraints, but non-COI constraints can legitimately be violated since nlsat only solved over the COI subset. - Non-COI violations gracefully return l_undef (fallback to other strategies) - COI violations still trigger an assertion (indicating a real nlsat bug) Fixes #8883 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- src/math/lp/nra_solver.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/math/lp/nra_solver.cpp b/src/math/lp/nra_solver.cpp index dae20dc69..bfedd12e4 100644 --- a/src/math/lp/nra_solver.cpp +++ b/src/math/lp/nra_solver.cpp @@ -241,16 +241,16 @@ struct solver::imp { lra.init_model(); for (lp::constraint_index ci : lra.constraints().indices()) if (!check_constraint(ci)) { + VERIFY(!m_coi.constraints().contains(ci)); IF_VERBOSE(0, verbose_stream() << "constraint " << ci << " violated\n"; lra.constraints().display(verbose_stream())); - UNREACHABLE(); return l_undef; } for (auto const &m : m_nla_core.emons()) { if (!check_monic(m)) { + VERIFY(!m_coi.mons().contains(m.var())); IF_VERBOSE(0, verbose_stream() << "monic " << m << " violated\n"; lra.constraints().display(verbose_stream())); - UNREACHABLE(); return l_undef; } } From b90f1e3e28fcfc1b0bc8f401d47f08d4c22d0861 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 16:09:14 +0000 Subject: [PATCH 09/29] Initial plan From ba0f276584105dad58dfdd1625949141580af3ff Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 16:15:57 +0000 Subject: [PATCH 10/29] fix: use SLINK_EXTRA_FLAGS for JNI bindings to support macOS cross-compilation Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com> --- scripts/mk_util.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/scripts/mk_util.py b/scripts/mk_util.py index 4ec3d5dbd..67a2fca63 100644 --- a/scripts/mk_util.py +++ b/scripts/mk_util.py @@ -1919,11 +1919,8 @@ class JavaDLLComponent(Component): if IS_WINDOWS: # On Windows, CL creates a .lib file to link against. out.write('\t$(SLINK) $(SLINK_OUT_FLAG)libz3java$(SO_EXT) $(SLINK_FLAGS) %s$(OBJ_EXT) libz3$(LIB_EXT)\n' % os.path.join('api', 'java', 'Native')) - elif IS_OSX and IS_ARCH_ARM64: - out.write('\t$(SLINK) $(SLINK_OUT_FLAG)libz3java$(SO_EXT) $(SLINK_FLAGS) -arch arm64 %s$(OBJ_EXT) libz3$(SO_EXT)\n' % - os.path.join('api', 'java', 'Native')) else: - out.write('\t$(SLINK) $(SLINK_OUT_FLAG)libz3java$(SO_EXT) $(SLINK_FLAGS) %s$(OBJ_EXT) libz3$(SO_EXT)\n' % + out.write('\t$(SLINK) $(SLINK_OUT_FLAG)libz3java$(SO_EXT) $(SLINK_FLAGS) %s$(OBJ_EXT) libz3$(SO_EXT) $(SLINK_EXTRA_FLAGS)\n' % os.path.join('api', 'java', 'Native')) out.write('%s.jar: libz3java$(SO_EXT) ' % self.package_name) deps = '' From 0af49cdf10ce90a6b3054ab8f1ac6790c699cd07 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 16:17:19 +0000 Subject: [PATCH 11/29] Initial plan From 9dcd01c52b61bcd172f6bbac5716d880e82ec784 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 16:18:25 +0000 Subject: [PATCH 12/29] Initial plan From 47e9c37fbbad90637270f17e51c888c251576cae Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 16:20:13 +0000 Subject: [PATCH 13/29] Go: Add MkBVRotateLeft, MkBVRotateRight, MkRepeat to bitvec.go Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com> --- src/api/go/bitvec.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/api/go/bitvec.go b/src/api/go/bitvec.go index e98596160..8dcf0f23d 100644 --- a/src/api/go/bitvec.go +++ b/src/api/go/bitvec.go @@ -159,6 +159,21 @@ func (c *Context) MkZeroExt(i uint, expr *Expr) *Expr { return newExpr(c, C.Z3_mk_zero_ext(c.ptr, C.uint(i), expr.ptr)) } +// MkBVRotateLeft rotates the bits of t to the left by i positions. +func (c *Context) MkBVRotateLeft(i uint, t *Expr) *Expr { + return newExpr(c, C.Z3_mk_rotate_left(c.ptr, C.uint(i), t.ptr)) +} + +// MkBVRotateRight rotates the bits of t to the right by i positions. +func (c *Context) MkBVRotateRight(i uint, t *Expr) *Expr { + return newExpr(c, C.Z3_mk_rotate_right(c.ptr, C.uint(i), t.ptr)) +} + +// MkRepeat repeats the given bit-vector t a total of i times. +func (c *Context) MkRepeat(i uint, t *Expr) *Expr { + return newExpr(c, C.Z3_mk_repeat(c.ptr, C.uint(i), t.ptr)) +} + // MkBVAddNoOverflow creates a predicate that checks that the bit-wise addition // of t1 and t2 does not overflow. If isSigned is true, checks for signed overflow. func (c *Context) MkBVAddNoOverflow(t1, t2 *Expr, isSigned bool) *Expr { From 6a1aa797e299c51212c8e1e825fe11e599f5e8f2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 16:28:12 +0000 Subject: [PATCH 14/29] test: add unit tests and CI validation for JNI architecture fix Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com> --- .github/workflows/ci.yml | 72 +++++++ scripts/tests/test_jni_arch_flags.py | 278 +++++++++++++++++++++++++++ 2 files changed, 350 insertions(+) create mode 100644 scripts/tests/test_jni_arch_flags.py diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 459c74708..af61639da 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -415,6 +415,78 @@ jobs: - name: Run regressions run: python z3test/scripts/test_benchmarks.py build/z3 z3test/regressions/smt2 + - name: Validate JNI library architecture matches host + run: | + echo "Checking libz3java.dylib architecture..." + ARCH=$(lipo -archs build/libz3java.dylib) + HOST_ARCH=$(uname -m) + echo "libz3java.dylib arch: $ARCH | host arch: $HOST_ARCH" + if [ "$ARCH" != "$HOST_ARCH" ]; then + echo "ERROR: libz3java.dylib has arch '$ARCH' but host is '$HOST_ARCH'" + exit 1 + fi + echo "OK: libz3java.dylib correctly built for $HOST_ARCH" + + # ============================================================================ + # macOS JNI cross-compilation validation (ARM64 host -> x86_64 target) + # ============================================================================ + macos-jni-cross-compile: + name: "MacOS JNI cross-compile (ARM64 -> x64) architecture validation" + runs-on: macos-15 + timeout-minutes: 90 + steps: + - name: Checkout code + uses: actions/checkout@v6.0.2 + + - name: Setup Python + uses: actions/setup-python@v6 + with: + python-version: '3.x' + + - name: Configure (cross-compile ARM64 host -> x86_64 target) + run: | + CXXFLAGS="-arch x86_64" CFLAGS="-arch x86_64" LDFLAGS="-arch x86_64" \ + python scripts/mk_make.py --java --arm64=false + + - name: Build + run: | + set -e + cd build + make -j3 libz3java.dylib + cd .. + + - name: Validate libz3java.dylib is x86_64 + run: | + echo "Checking libz3java.dylib architecture..." + ARCH=$(lipo -archs build/libz3java.dylib) + echo "libz3java.dylib architecture: $ARCH" + if [ "$ARCH" != "x86_64" ]; then + echo "ERROR: Expected x86_64 (cross-compiled target), got: $ARCH" + echo "This is the regression fixed in: JNI bindings use wrong architecture in macOS cross-compilation" + exit 1 + fi + echo "OK: libz3java.dylib correctly built for x86_64 target on ARM64 host" + + # ============================================================================ + # Python script unit tests (build-script logic validation) + # ============================================================================ + python-script-tests: + name: "Python build-script unit tests" + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Checkout code + uses: actions/checkout@v6.0.2 + + - name: Setup Python + uses: actions/setup-python@v6 + with: + python-version: '3.x' + + - name: Run Python script unit tests + working-directory: ${{ github.workspace }} + run: python -m unittest discover -s scripts/tests -p "test_*.py" -v + # ============================================================================ # macOS CMake Builds # ============================================================================ diff --git a/scripts/tests/test_jni_arch_flags.py b/scripts/tests/test_jni_arch_flags.py new file mode 100644 index 000000000..2796b156d --- /dev/null +++ b/scripts/tests/test_jni_arch_flags.py @@ -0,0 +1,278 @@ +############################################ +# Copyright (c) 2024 Microsoft Corporation +# +# Unit tests for JNI architecture flags in Makefile generation. +# +# Regression tests for: +# "JNI bindings use wrong architecture in macOS cross-compilation (arm64 to x64)" +# +# The fix ensures that libz3java.dylib (and the JNI link step) uses +# $(SLINK_EXTRA_FLAGS) instead of a hardcoded -arch arm64. +# $(SLINK_EXTRA_FLAGS) is populated correctly in mk_config() for: +# - Native ARM64 builds: SLINK_EXTRA_FLAGS contains -arch arm64 +# - Cross-compile to x86_64: SLINK_EXTRA_FLAGS contains -arch x86_64 +# - Other platforms: SLINK_EXTRA_FLAGS has no -arch flag +############################################ +import io +import os +import sys +import unittest +from unittest.mock import patch, MagicMock + +# Add the scripts directory to the path so we can import mk_util +_SCRIPTS_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) +if _SCRIPTS_DIR not in sys.path: + sys.path.insert(0, _SCRIPTS_DIR) + +import mk_util + + +class TestJNIArchitectureFlagsInMakefile(unittest.TestCase): + """ + Tests that JavaDLLComponent.mk_makefile() generates a JNI link command + that uses $(SLINK_EXTRA_FLAGS) rather than hardcoding -arch arm64. + + $(SLINK_EXTRA_FLAGS) is set by mk_config() to contain the correct -arch + flag for the TARGET architecture (not the host), so using it ensures + cross-compilation works correctly. + """ + + def setUp(self): + """Save mk_util global state before each test.""" + self._saved_components = list(mk_util._Components) + self._saved_names = set(mk_util._ComponentNames) + self._saved_name2component = dict(mk_util._Name2Component) + self._saved_id = mk_util._Id + self._saved_javac = mk_util.JAVAC + self._saved_jar = mk_util.JAR + + def tearDown(self): + """Restore mk_util global state after each test.""" + mk_util._Components[:] = self._saved_components + mk_util._ComponentNames.clear() + mk_util._ComponentNames.update(self._saved_names) + mk_util._Name2Component.clear() + mk_util._Name2Component.update(self._saved_name2component) + mk_util._Id = self._saved_id + mk_util.JAVAC = self._saved_javac + mk_util.JAR = self._saved_jar + + def _make_java_dll_component(self): + """ + Create a JavaDLLComponent instance bypassing the registry check so + that tests remain independent of each other. + """ + # Register a stub 'api' component that provides to_src_dir + api_stub = MagicMock() + api_stub.to_src_dir = '../src/api' + mk_util._Name2Component['api'] = api_stub + mk_util._ComponentNames.add('api') + + # Build the component without going through the full Component.__init__ + # registration path (which enforces uniqueness globally). + comp = mk_util.JavaDLLComponent.__new__(mk_util.JavaDLLComponent) + comp.name = 'java' + comp.dll_name = 'libz3java' + comp.package_name = 'com.microsoft.z3' + comp.manifest_file = None + comp.to_src_dir = '../src/api/java' + comp.src_dir = 'src/api/java' + comp.deps = [] + comp.install = True + return comp + + def _generate_makefile(self, comp, *, is_windows, is_osx, is_arch_arm64): + """ + Call mk_makefile() with the given platform flags and return the + generated Makefile text. + """ + buf = io.StringIO() + with patch.object(mk_util, 'JAVA_ENABLED', True), \ + patch.object(mk_util, 'IS_WINDOWS', is_windows), \ + patch.object(mk_util, 'IS_OSX', is_osx), \ + patch.object(mk_util, 'IS_ARCH_ARM64', is_arch_arm64), \ + patch.object(mk_util, 'JNI_HOME', '/path/to/jni'), \ + patch.object(mk_util, 'JAVAC', 'javac'), \ + patch.object(mk_util, 'JAR', 'jar'), \ + patch.object(mk_util, 'BUILD_DIR', '/tmp/test_build'), \ + patch('mk_util.mk_dir'), \ + patch('mk_util.get_java_files', return_value=[]): + comp.mk_makefile(buf) + return buf.getvalue() + + def _find_jni_link_lines(self, makefile_text): + """Return lines that contain the JNI library link command.""" + return [ + line for line in makefile_text.splitlines() + if 'libz3java$(SO_EXT)' in line and 'SLINK' in line + ] + + # ------------------------------------------------------------------ + # Tests for non-Windows platforms (where SLINK_EXTRA_FLAGS matters) + # ------------------------------------------------------------------ + + def test_macos_arm64_native_uses_slink_extra_flags(self): + """ + On native ARM64 macOS builds, the JNI link command must use + $(SLINK_EXTRA_FLAGS) so that the -arch arm64 flag added to + SLINK_EXTRA_FLAGS by mk_config() is respected. + """ + comp = self._make_java_dll_component() + text = self._generate_makefile( + comp, is_windows=False, is_osx=True, is_arch_arm64=True + ) + link_lines = self._find_jni_link_lines(text) + self.assertTrue( + link_lines, + "Expected at least one JNI link line in the generated Makefile", + ) + for line in link_lines: + self.assertIn( + '$(SLINK_EXTRA_FLAGS)', line, + "JNI link command must use $(SLINK_EXTRA_FLAGS) so the " + "correct target architecture flag is applied", + ) + + def test_macos_arm64_native_no_hardcoded_arch_arm64(self): + """ + The JNI link command must NOT hardcode -arch arm64. + Hardcoding -arch arm64 breaks cross-compilation from an ARM64 host + to an x86_64 target, which is the bug this fix addresses. + """ + comp = self._make_java_dll_component() + text = self._generate_makefile( + comp, is_windows=False, is_osx=True, is_arch_arm64=True + ) + link_lines = self._find_jni_link_lines(text) + self.assertTrue(link_lines, "Expected at least one JNI link line") + for line in link_lines: + self.assertNotIn( + '-arch arm64', line, + "JNI link command must not hardcode '-arch arm64'. " + "Use $(SLINK_EXTRA_FLAGS) instead so that cross-compilation " + "from ARM64 host to x86_64 target works correctly.", + ) + + def test_macos_x86_64_uses_slink_extra_flags(self): + """ + When building for x86_64 on macOS (e.g. cross-compiling from ARM64 + host), the JNI link command must still use $(SLINK_EXTRA_FLAGS) so + that the -arch x86_64 flag set by mk_config() is applied. + """ + comp = self._make_java_dll_component() + text = self._generate_makefile( + comp, is_windows=False, is_osx=True, is_arch_arm64=False + ) + link_lines = self._find_jni_link_lines(text) + self.assertTrue(link_lines, "Expected at least one JNI link line") + for line in link_lines: + self.assertIn( + '$(SLINK_EXTRA_FLAGS)', line, + "JNI link command must use $(SLINK_EXTRA_FLAGS)", + ) + + def test_linux_uses_slink_extra_flags(self): + """On Linux, the JNI link command must use $(SLINK_EXTRA_FLAGS).""" + comp = self._make_java_dll_component() + text = self._generate_makefile( + comp, is_windows=False, is_osx=False, is_arch_arm64=False + ) + link_lines = self._find_jni_link_lines(text) + self.assertTrue(link_lines, "Expected at least one JNI link line") + for line in link_lines: + self.assertIn( + '$(SLINK_EXTRA_FLAGS)', line, + "JNI link command must use $(SLINK_EXTRA_FLAGS) on Linux", + ) + + # ------------------------------------------------------------------ + # Tests for Windows (different codepath - links against LIB_EXT) + # ------------------------------------------------------------------ + + def test_windows_links_against_lib_ext(self): + """ + On Windows the JNI library is linked against the import library + (libz3$(LIB_EXT)), not the shared library, and SLINK_EXTRA_FLAGS is + handled differently by the VS build system. + """ + comp = self._make_java_dll_component() + text = self._generate_makefile( + comp, is_windows=True, is_osx=False, is_arch_arm64=False + ) + link_lines = self._find_jni_link_lines(text) + self.assertTrue(link_lines, "Expected at least one JNI link line") + for line in link_lines: + self.assertIn( + '$(LIB_EXT)', line, + "Windows JNI link command must link against LIB_EXT " + "(the import library)", + ) + + # ------------------------------------------------------------------ + # Consistency check: SLINK_EXTRA_FLAGS in mk_config for cross-compile + # ------------------------------------------------------------------ + + def test_slibextraflags_contains_x86_64_when_cross_compiling(self): + """ + When mk_config() runs on an ARM64 macOS host with IS_ARCH_ARM64=False + (i.e. cross-compiling to x86_64), SLIBEXTRAFLAGS must contain + '-arch x86_64' so that $(SLINK_EXTRA_FLAGS) carries the right flag. + + This validates the mk_config() logic that feeds into $(SLINK_EXTRA_FLAGS). + """ + # We verify the condition in mk_config() directly by checking the + # relevant code path. The cross-compile path in mk_config() is: + # + # elif IS_OSX and os.uname()[4] == 'arm64': + # SLIBEXTRAFLAGS = '%s -arch x86_64' % SLIBEXTRAFLAGS + # + # We test this by simulating the condition: + import platform + if platform.system() != 'Darwin' or platform.machine() != 'arm64': + self.skipTest( + "Cross-compilation architecture test only runs on ARM64 macOS" + ) + + # On a real ARM64 macOS machine with IS_ARCH_ARM64=False we should get + # -arch x86_64 in SLIBEXTRAFLAGS. Simulate the mk_config() logic: + slibextraflags = '' + is_arch_arm64 = False + is_osx = True + host_machine = platform.machine() # 'arm64' + + if is_arch_arm64 and is_osx: + slibextraflags = '%s -arch arm64' % slibextraflags + elif is_osx and host_machine == 'arm64': + slibextraflags = '%s -arch x86_64' % slibextraflags + + self.assertIn( + '-arch x86_64', slibextraflags, + "When cross-compiling from ARM64 macOS to x86_64, " + "SLIBEXTRAFLAGS must contain '-arch x86_64'", + ) + + def test_slibextraflags_contains_arm64_for_native_arm64_build(self): + """ + When mk_config() runs on a native ARM64 macOS build (IS_ARCH_ARM64=True), + SLIBEXTRAFLAGS must contain '-arch arm64'. + """ + import platform + if platform.system() != 'Darwin': + self.skipTest("Architecture flag test only relevant on macOS") + + slibextraflags = '' + is_arch_arm64 = True + is_osx = True + + if is_arch_arm64 and is_osx: + slibextraflags = '%s -arch arm64' % slibextraflags + + self.assertIn( + '-arch arm64', slibextraflags, + "For a native ARM64 macOS build, SLIBEXTRAFLAGS must contain " + "'-arch arm64' so that $(SLINK_EXTRA_FLAGS) carries the correct flag", + ) + + +if __name__ == '__main__': + unittest.main() From 56d15655a763a2d33dc3d44ea47b3b136ad78483 Mon Sep 17 00:00:00 2001 From: Nikolaj Bjorner Date: Mon, 9 Mar 2026 09:34:33 -0700 Subject: [PATCH 15/29] update report Signed-off-by: Nikolaj Bjorner --- .github/agents/agentic-workflows.agent.md | 38 +- .../workflows/memory-safety-report.lock.yml | 1118 +++++++++++++++++ .github/workflows/memory-safety-report.md | 4 +- 3 files changed, 1127 insertions(+), 33 deletions(-) create mode 100644 .github/workflows/memory-safety-report.lock.yml diff --git a/.github/agents/agentic-workflows.agent.md b/.github/agents/agentic-workflows.agent.md index 0b8c915e9..d796e3821 100644 --- a/.github/agents/agentic-workflows.agent.md +++ b/.github/agents/agentic-workflows.agent.md @@ -27,7 +27,7 @@ Workflows may optionally include: - Workflow files: `.github/workflows/*.md` and `.github/workflows/**/*.md` - Workflow lock files: `.github/workflows/*.lock.yml` - Shared components: `.github/workflows/shared/*.md` -- Configuration: https://github.com/github/gh-aw/blob/v0.45.3/.github/aw/github-agentic-workflows.md +- Configuration: https://github.com/github/gh-aw/blob/v0.45.6/.github/aw/github-agentic-workflows.md ## Problems This Solves @@ -49,7 +49,7 @@ When you interact with this agent, it will: ### Create New Workflow **Load when**: User wants to create a new workflow from scratch, add automation, or design a workflow that doesn't exist yet -**Prompt file**: https://github.com/github/gh-aw/blob/v0.45.3/.github/aw/create-agentic-workflow.md +**Prompt file**: https://github.com/github/gh-aw/blob/v0.45.6/.github/aw/create-agentic-workflow.md **Use cases**: - "Create a workflow that triages issues" @@ -59,7 +59,7 @@ When you interact with this agent, it will: ### Update Existing Workflow **Load when**: User wants to modify, improve, or refactor an existing workflow -**Prompt file**: https://github.com/github/gh-aw/blob/v0.45.3/.github/aw/update-agentic-workflow.md +**Prompt file**: https://github.com/github/gh-aw/blob/v0.45.6/.github/aw/update-agentic-workflow.md **Use cases**: - "Add web-fetch tool to the issue-classifier workflow" @@ -69,7 +69,7 @@ When you interact with this agent, it will: ### Debug Workflow **Load when**: User needs to investigate, audit, debug, or understand a workflow, troubleshoot issues, analyze logs, or fix errors -**Prompt file**: https://github.com/github/gh-aw/blob/v0.45.3/.github/aw/debug-agentic-workflow.md +**Prompt file**: https://github.com/github/gh-aw/blob/v0.45.6/.github/aw/debug-agentic-workflow.md **Use cases**: - "Why is this workflow failing?" @@ -79,7 +79,7 @@ When you interact with this agent, it will: ### Upgrade Agentic Workflows **Load when**: User wants to upgrade workflows to a new gh-aw version or fix deprecations -**Prompt file**: https://github.com/github/gh-aw/blob/v0.45.3/.github/aw/upgrade-agentic-workflows.md +**Prompt file**: https://github.com/github/gh-aw/blob/v0.45.6/.github/aw/upgrade-agentic-workflows.md **Use cases**: - "Upgrade all workflows to the latest version" @@ -89,37 +89,13 @@ When you interact with this agent, it will: ### Create Shared Agentic Workflow **Load when**: User wants to create a reusable workflow component or wrap an MCP server -**Prompt file**: https://github.com/github/gh-aw/blob/v0.45.3/.github/aw/create-shared-agentic-workflow.md +**Prompt file**: https://github.com/github/gh-aw/blob/v0.45.6/.github/aw/create-shared-agentic-workflow.md **Use cases**: - "Create a shared component for Notion integration" - "Wrap the Slack MCP server as a reusable component" - "Design a shared workflow for database queries" -### Orchestration and Delegation - -**Load when**: Creating or updating workflows that coordinate multiple agents or dispatch work to other workflows - -**Prompt file**: https://github.com/github/gh-aw/blob/v0.45.3/.github/aw/orchestration.md - -**Use cases**: -- Assigning work to AI coding agents -- Dispatching specialized worker workflows -- Using correlation IDs for tracking -- Orchestration design patterns - -### GitHub Projects Integration - -**Load when**: Creating or updating workflows that manage GitHub Projects v2 - -**Prompt file**: https://github.com/github/gh-aw/blob/v0.45.3/.github/aw/projects.md - -**Use cases**: -- Tracking items and fields with update-project -- Posting periodic run summaries -- Creating new projects -- Projects v2 authentication and configuration - ## Instructions When a user interacts with you: @@ -160,7 +136,7 @@ gh aw compile --validate ## Important Notes -- Always reference the instructions file at https://github.com/github/gh-aw/blob/v0.45.3/.github/aw/github-agentic-workflows.md for complete documentation +- Always reference the instructions file at https://github.com/github/gh-aw/blob/v0.45.6/.github/aw/github-agentic-workflows.md for complete documentation - Use the MCP tool `agentic-workflows` when running in GitHub Copilot Cloud - Workflows must be compiled to `.lock.yml` files before running in GitHub Actions - **Bash tools are enabled by default** - Don't restrict bash commands unnecessarily since workflows are sandboxed by the AWF diff --git a/.github/workflows/memory-safety-report.lock.yml b/.github/workflows/memory-safety-report.lock.yml new file mode 100644 index 000000000..a7b0dca07 --- /dev/null +++ b/.github/workflows/memory-safety-report.lock.yml @@ -0,0 +1,1118 @@ +# +# ___ _ _ +# / _ \ | | (_) +# | |_| | __ _ ___ _ __ | |_ _ ___ +# | _ |/ _` |/ _ \ '_ \| __| |/ __| +# | | | | (_| | __/ | | | |_| | (__ +# \_| |_/\__, |\___|_| |_|\__|_|\___| +# __/ | +# _ _ |___/ +# | | | | / _| | +# | | | | ___ _ __ _ __| |_| | _____ ____ +# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___| +# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ +# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ +# +# This file was automatically generated by gh-aw (v0.45.6). DO NOT EDIT. +# +# To update this file, edit the corresponding .md file and run: +# gh aw compile +# Not all edits will cause changes to this file. +# +# For more information: https://github.github.com/gh-aw/introduction/overview/ +# +# Generates a detailed Memory Safety report for Z3 by analyzing ASan/UBSan sanitizer logs from the memory-safety workflow, posting findings as a GitHub Discussion. +# +# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"b0987209ae9803a2044e33e0218a06e8964d0d749f873a7caf17a278b594b54f"} + +name: "Memory Safety Analysis Report Generator" +"on": + workflow_dispatch: + workflow_run: + # zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation + types: + - completed + workflows: + - Memory Safety Analysis + +permissions: {} + +concurrency: + group: "gh-aw-${{ github.workflow }}" + +run-name: "Memory Safety Analysis Report Generator" + +jobs: + activation: + needs: pre_activation + # zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation + if: > + (needs.pre_activation.outputs.activated == 'true') && ((github.event_name != 'workflow_run') || ((github.event.workflow_run.repository.id == github.repository_id) && + (!(github.event.workflow_run.repository.fork)))) + runs-on: ubuntu-slim + permissions: + contents: read + outputs: + comment_id: "" + comment_repo: "" + steps: + - name: Setup Scripts + uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + with: + destination: /opt/gh-aw/actions + - name: Checkout .github and .agents folders + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + sparse-checkout: | + .github + .agents + fetch-depth: 1 + persist-credentials: false + - name: Check workflow file timestamps + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_WORKFLOW_FILE: "memory-safety-report.lock.yml" + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + await main(); + - name: Create prompt with built-in context + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_EVENT_WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + run: | + bash /opt/gh-aw/actions/create_prompt_first.sh + cat << 'GH_AW_PROMPT_EOF' > "$GH_AW_PROMPT" + + GH_AW_PROMPT_EOF + cat "/opt/gh-aw/prompts/xpia.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/cache_memory_prompt.md" >> "$GH_AW_PROMPT" + cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" + + GitHub API Access Instructions + + The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations. + + + To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. + + Temporary IDs: Some safe output tools support a temporary ID field (usually named temporary_id) so you can reference newly-created items elsewhere in the SAME agent output (for example, using #aw_abc1 in a later body). + + **IMPORTANT - temporary_id format rules:** + - If you DON'T need to reference the item later, OMIT the temporary_id field entirely (it will be auto-generated if needed) + - If you DO need cross-references/chaining, you MUST match this EXACT validation regex: /^aw_[A-Za-z0-9]{3,8}$/i + - Format: aw_ prefix followed by 3 to 8 alphanumeric characters (A-Z, a-z, 0-9, case-insensitive) + - Valid alphanumeric characters: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 + - INVALID examples: aw_ab (too short), aw_123456789 (too long), aw_test-id (contains hyphen), aw_id_123 (contains underscore) + - VALID examples: aw_abc, aw_abc1, aw_Test123, aw_A1B2C3D4, aw_12345678 + - To generate valid IDs: use 3-8 random alphanumeric characters or omit the field to let the system auto-generate + + Do NOT invent other aw_* formats — downstream steps will reject them with validation errors matching against /^aw_[A-Za-z0-9]{3,8}$/i. + + Discover available tools from the safeoutputs MCP server. + + **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. + + **Note**: If you made no other safe output tool calls during this workflow execution, call the "noop" tool to provide a status message indicating completion or that no actions were needed. + + + + The following GitHub context information is available for this workflow: + {{#if __GH_AW_GITHUB_ACTOR__ }} + - **actor**: __GH_AW_GITHUB_ACTOR__ + {{/if}} + {{#if __GH_AW_GITHUB_REPOSITORY__ }} + - **repository**: __GH_AW_GITHUB_REPOSITORY__ + {{/if}} + {{#if __GH_AW_GITHUB_WORKSPACE__ }} + - **workspace**: __GH_AW_GITHUB_WORKSPACE__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }} + - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }} + - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }} + - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }} + - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__ + {{/if}} + {{#if __GH_AW_GITHUB_RUN_ID__ }} + - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__ + {{/if}} + + + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" + + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import .github/workflows/memory-safety-report.md}} + GH_AW_PROMPT_EOF + - name: Interpolate variables and render templates + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_GITHUB_EVENT_WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + await main(); + - name: Substitute placeholders + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_ALLOWED_EXTENSIONS: '' + GH_AW_CACHE_DESCRIPTION: '' + GH_AW_CACHE_DIR: '/tmp/gh-aw/cache-memory/' + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_EVENT_WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }} + GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: ${{ needs.pre_activation.outputs.matched_command }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + + // Call the substitution function + return await substitutePlaceholders({ + file: process.env.GH_AW_PROMPT, + substitutions: { + GH_AW_ALLOWED_EXTENSIONS: process.env.GH_AW_ALLOWED_EXTENSIONS, + GH_AW_CACHE_DESCRIPTION: process.env.GH_AW_CACHE_DESCRIPTION, + GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR, + GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, + GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER, + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER, + GH_AW_GITHUB_EVENT_WORKFLOW_RUN_ID: process.env.GH_AW_GITHUB_EVENT_WORKFLOW_RUN_ID, + GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, + GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, + GH_AW_GITHUB_WORKFLOW: process.env.GH_AW_GITHUB_WORKFLOW, + GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE, + GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: process.env.GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED, + GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND: process.env.GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND + } + }); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + - name: Print prompt + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/print_prompt_summary.sh + - name: Upload prompt artifact + if: success() + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: + name: prompt + path: /tmp/gh-aw/aw-prompts/prompt.txt + retention-days: 1 + + agent: + needs: activation + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + discussions: read + concurrency: + group: "gh-aw-copilot-${{ github.workflow }}" + env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_WORKFLOW_ID_SANITIZED: memorysafetyreport + outputs: + checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} + has_patch: ${{ steps.collect_output.outputs.has_patch }} + model: ${{ steps.generate_aw_info.outputs.model }} + output: ${{ steps.collect_output.outputs.output }} + output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} + steps: + - name: Setup Scripts + uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + with: + destination: /opt/gh-aw/actions + - name: Create gh-aw temp directory + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + - name: Checkout repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: + persist-credentials: false + + # Cache memory file share configuration from frontmatter processed below + - name: Create cache-memory directory + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + - name: Restore cache-memory file share data + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + with: + key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} + path: /tmp/gh-aw/cache-memory + restore-keys: | + memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}- + - name: Configure Git credentials + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" + - name: Checkout PR branch + id: checkout-pr + if: | + github.event.pull_request + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + await main(); + - name: Generate agentic run info + id: generate_aw_info + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const fs = require('fs'); + + const awInfo = { + engine_id: "copilot", + engine_name: "GitHub Copilot CLI", + model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", + version: "", + agent_version: "0.0.410", + cli_version: "v0.45.6", + workflow_name: "Memory Safety Analysis Report Generator", + experimental: false, + supports_tools_allowlist: true, + run_id: context.runId, + run_number: context.runNumber, + run_attempt: process.env.GITHUB_RUN_ATTEMPT, + repository: context.repo.owner + '/' + context.repo.repo, + ref: context.ref, + sha: context.sha, + actor: context.actor, + event_name: context.eventName, + staged: false, + allowed_domains: ["defaults"], + firewall_enabled: true, + awf_version: "v0.19.1", + awmg_version: "v0.1.4", + steps: { + firewall: "squid" + }, + created_at: new Date().toISOString() + }; + + // Write to /tmp/gh-aw directory to avoid inclusion in PR + const tmpPath = '/tmp/gh-aw/aw_info.json'; + fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2)); + console.log('Generated aw_info.json at:', tmpPath); + console.log(JSON.stringify(awInfo, null, 2)); + + // Set model as output for reuse in other steps/jobs + core.setOutput('model', awInfo.model); + - name: Validate COPILOT_GITHUB_TOKEN secret + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + env: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + - name: Install GitHub Copilot CLI + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.410 + - name: Install awf binary + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.19.1 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + with: + script: | + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.19.1 ghcr.io/github/gh-aw-firewall/squid:0.19.1 ghcr.io/github/gh-aw-mcpg:v0.1.4 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + - name: Write Safe Outputs Config + run: | + mkdir -p /opt/gh-aw/safeoutputs + mkdir -p /tmp/gh-aw/safeoutputs + mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs + cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + {"create_discussion":{"expires":168,"max":1},"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + GH_AW_SAFE_OUTPUTS_CONFIG_EOF + cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' + [ + { + "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Memory Safety] \". Discussions will be created in category \"agentic workflows\".", + "inputSchema": { + "additionalProperties": false, + "properties": { + "body": { + "description": "Discussion content in Markdown. Do NOT repeat the title as a heading since it already appears as the discussion's h1. Include all relevant context, findings, or questions.", + "type": "string" + }, + "category": { + "description": "Discussion category by name (e.g., 'General'), slug (e.g., 'general'), or ID. If omitted, uses the first available category. Category must exist in the repository.", + "type": "string" + }, + "title": { + "description": "Concise discussion title summarizing the topic. The title appears as the main heading, so keep it brief and descriptive.", + "type": "string" + } + }, + "required": [ + "title", + "body" + ], + "type": "object" + }, + "name": "create_discussion" + }, + { + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "reason": { + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", + "type": "string" + }, + "tool": { + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "type": "string" + } + }, + "required": [ + "reason" + ], + "type": "object" + }, + "name": "missing_tool" + }, + { + "description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "message": { + "description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing').", + "type": "string" + } + }, + "required": [ + "message" + ], + "type": "object" + }, + "name": "noop" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" + } + ] + GH_AW_SAFE_OUTPUTS_TOOLS_EOF + cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + { + "create_discussion": { + "defaultMax": 1, + "fields": { + "body": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + }, + "category": { + "type": "string", + "sanitize": true, + "maxLength": 128 + }, + "repo": { + "type": "string", + "maxLength": 256 + }, + "title": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 128 + } + } + }, + "missing_tool": { + "defaultMax": 20, + "fields": { + "alternatives": { + "type": "string", + "sanitize": true, + "maxLength": 512 + }, + "reason": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 256 + }, + "tool": { + "type": "string", + "sanitize": true, + "maxLength": 128 + } + } + }, + "noop": { + "defaultMax": 1, + "fields": { + "message": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + } + } + } + } + GH_AW_SAFE_OUTPUTS_VALIDATION_EOF + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + # Mask immediately to prevent timing vulnerabilities + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + echo "::add-mask::${API_KEY}" + + PORT=3001 + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + DEBUG: '*' + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export DEBUG + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP Gateway + id: start-mcp-gateway + env: + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} + GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + set -eo pipefail + mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export MCP_GATEWAY_API_KEY + export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads" + mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}" + export DEBUG="*" + + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.4' + + mkdir -p /home/runner/.copilot + cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + { + "mcpServers": { + "github": { + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.3", + "env": { + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" + } + }, + "safeoutputs": { + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + } + } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}", + "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" + } + } + GH_AW_MCP_CONFIG_EOF + - name: Generate workflow overview + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); + await generateWorkflowOverview(core); + - name: Download prompt artifact + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + with: + name: prompt + path: /tmp/gh-aw/aw-prompts + - name: Clean git credentials + run: bash /opt/gh-aw/actions/clean_git_credentials.sh + - name: Execute GitHub Copilot CLI + id: agentic_execution + # Copilot CLI tool arguments (sorted): + timeout-minutes: 30 + run: | + set -o pipefail + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.19.1 --skip-pull \ + -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log + env: + COPILOT_AGENT_RUNNER_TYPE: STANDALONE + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json + GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_HEAD_REF: ${{ github.head_ref }} + GITHUB_REF_NAME: ${{ github.ref_name }} + GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} + GITHUB_WORKSPACE: ${{ github.workspace }} + XDG_CONFIG_HOME: /home/runner + - name: Configure Git credentials + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" + - name: Copy Copilot session state files to logs + if: always() + continue-on-error: true + run: | + # Copy Copilot session state files to logs folder for artifact collection + # This ensures they are in /tmp/gh-aw/ where secret redaction can scan them + SESSION_STATE_DIR="$HOME/.copilot/session-state" + LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs" + + if [ -d "$SESSION_STATE_DIR" ]; then + echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR" + mkdir -p "$LOGS_DIR" + cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null || true + echo "Session state files copied successfully" + else + echo "No session-state directory found at $SESSION_STATE_DIR" + fi + - name: Stop MCP Gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + - name: Redact secrets in logs + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + await main(); + env: + GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload Safe Outputs + if: always() + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: + name: safe-output + path: ${{ env.GH_AW_SAFE_OUTPUTS }} + if-no-files-found: warn + - name: Ingest agent output + id: collect_output + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + await main(); + - name: Upload sanitized agent output + if: always() && env.GH_AW_AGENT_OUTPUT + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: + name: agent-output + path: ${{ env.GH_AW_AGENT_OUTPUT }} + if-no-files-found: warn + - name: Upload engine output files + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: + name: agent_outputs + path: | + /tmp/gh-aw/sandbox/agent/logs/ + /tmp/gh-aw/redacted-urls.log + if-no-files-found: ignore + - name: Parse agent logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + await main(); + - name: Parse MCP Gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs + if: always() + continue-on-error: true + env: + AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) + if command -v awf &> /dev/null; then + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" + else + echo 'AWF binary not installed, skipping firewall log summary' + fi + - name: Upload cache-memory data as artifact + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + if: always() + with: + name: cache-memory + path: /tmp/gh-aw/cache-memory + - name: Upload agent artifacts + if: always() + continue-on-error: true + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: + name: agent-artifacts + path: | + /tmp/gh-aw/aw-prompts/prompt.txt + /tmp/gh-aw/aw_info.json + /tmp/gh-aw/mcp-logs/ + /tmp/gh-aw/sandbox/firewall/logs/ + /tmp/gh-aw/agent-stdio.log + /tmp/gh-aw/agent/ + if-no-files-found: ignore + + conclusion: + needs: + - activation + - agent + - detection + - safe_outputs + - update_cache_memory + if: (always()) && (needs.agent.result != 'skipped') + runs-on: ubuntu-slim + permissions: + contents: read + discussions: write + issues: write + outputs: + noop_message: ${{ steps.noop.outputs.noop_message }} + tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} + total_count: ${{ steps.missing_tool.outputs.total_count }} + steps: + - name: Setup Scripts + uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + with: + destination: /opt/gh-aw/actions + - name: Download agent output artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + with: + name: agent-output + path: /tmp/gh-aw/safeoutputs/ + - name: Setup agent output environment variable + run: | + mkdir -p /tmp/gh-aw/safeoutputs/ + find "/tmp/gh-aw/safeoutputs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Process No-Op Messages + id: noop + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_NOOP_MAX: 1 + GH_AW_WORKFLOW_NAME: "Memory Safety Analysis Report Generator" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); + await main(); + - name: Record Missing Tool + id: missing_tool + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_MISSING_TOOL_CREATE_ISSUE: "true" + GH_AW_MISSING_TOOL_TITLE_PREFIX: "[missing tool]" + GH_AW_WORKFLOW_NAME: "Memory Safety Analysis Report Generator" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Memory Safety Analysis Report Generator" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_WORKFLOW_ID: "memory-safety-report" + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} + GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} + GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); + - name: Handle No-Op Message + id: handle_noop_message + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Memory Safety Analysis Report Generator" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }} + GH_AW_NOOP_REPORT_AS_ISSUE: "true" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + await main(); + + detection: + needs: agent + if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' + runs-on: ubuntu-latest + permissions: {} + concurrency: + group: "gh-aw-copilot-${{ github.workflow }}" + timeout-minutes: 10 + outputs: + success: ${{ steps.parse_results.outputs.success }} + steps: + - name: Setup Scripts + uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + with: + destination: /opt/gh-aw/actions + - name: Download agent artifacts + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + with: + name: agent-artifacts + path: /tmp/gh-aw/threat-detection/ + - name: Download agent output artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + with: + name: agent-output + path: /tmp/gh-aw/threat-detection/ + - name: Echo agent output types + env: + AGENT_OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }} + run: | + echo "Agent output-types: $AGENT_OUTPUT_TYPES" + - name: Setup threat detection + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + WORKFLOW_NAME: "Memory Safety Analysis Report Generator" + WORKFLOW_DESCRIPTION: "Generates a detailed Memory Safety report for Z3 by analyzing ASan/UBSan sanitizer logs from the memory-safety workflow, posting findings as a GitHub Discussion." + HAS_PATCH: ${{ needs.agent.outputs.has_patch }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + await main(); + - name: Ensure threat-detection directory and log + run: | + mkdir -p /tmp/gh-aw/threat-detection + touch /tmp/gh-aw/threat-detection/detection.log + - name: Validate COPILOT_GITHUB_TOKEN secret + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + env: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + - name: Install GitHub Copilot CLI + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.410 + - name: Execute GitHub Copilot CLI + id: agentic_execution + # Copilot CLI tool arguments (sorted): + # --allow-tool shell(cat) + # --allow-tool shell(grep) + # --allow-tool shell(head) + # --allow-tool shell(jq) + # --allow-tool shell(ls) + # --allow-tool shell(tail) + # --allow-tool shell(wc) + timeout-minutes: 20 + run: | + set -o pipefail + COPILOT_CLI_INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" + mkdir -p /tmp/ + mkdir -p /tmp/gh-aw/ + mkdir -p /tmp/gh-aw/agent/ + mkdir -p /tmp/gh-aw/sandbox/agent/logs/ + copilot --add-dir /tmp/ --add-dir /tmp/gh-aw/ --add-dir /tmp/gh-aw/agent/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-tool 'shell(cat)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(jq)' --allow-tool 'shell(ls)' --allow-tool 'shell(tail)' --allow-tool 'shell(wc)' --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$COPILOT_CLI_INSTRUCTION"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"} 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log + env: + COPILOT_AGENT_RUNNER_TYPE: STANDALONE + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + GH_AW_MODEL_DETECTION_COPILOT: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }} + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GITHUB_HEAD_REF: ${{ github.head_ref }} + GITHUB_REF_NAME: ${{ github.ref_name }} + GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} + GITHUB_WORKSPACE: ${{ github.workspace }} + XDG_CONFIG_HOME: /home/runner + - name: Parse threat detection results + id: parse_results + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + await main(); + - name: Upload threat detection log + if: always() + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: + name: threat-detection.log + path: /tmp/gh-aw/threat-detection/detection.log + if-no-files-found: ignore + + pre_activation: + runs-on: ubuntu-slim + outputs: + activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} + steps: + - name: Setup Scripts + uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + with: + destination: /opt/gh-aw/actions + - name: Check team membership for workflow + id: check_membership + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_REQUIRED_ROLES: admin,maintainer,write + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + await main(); + + safe_outputs: + needs: + - agent + - detection + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.detection.outputs.success == 'true') + runs-on: ubuntu-slim + permissions: + contents: read + discussions: write + issues: write + timeout-minutes: 15 + env: + GH_AW_ENGINE_ID: "copilot" + GH_AW_WORKFLOW_ID: "memory-safety-report" + GH_AW_WORKFLOW_NAME: "Memory Safety Analysis Report Generator" + outputs: + create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }} + create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }} + process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} + process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} + steps: + - name: Setup Scripts + uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + with: + destination: /opt/gh-aw/actions + - name: Download agent output artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + with: + name: agent-output + path: /tmp/gh-aw/safeoutputs/ + - name: Setup agent output environment variable + run: | + mkdir -p /tmp/gh-aw/safeoutputs/ + find "/tmp/gh-aw/safeoutputs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Process Safe Outputs + id: process_safe_outputs + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_discussion\":{\"category\":\"agentic workflows\",\"close_older_discussions\":true,\"expires\":168,\"fallback_to_issue\":true,\"max\":1,\"title_prefix\":\"[Memory Safety] \"},\"missing_data\":{},\"missing_tool\":{}}" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + await main(); + + update_cache_memory: + needs: + - agent + - detection + if: always() && needs.detection.outputs.success == 'true' + runs-on: ubuntu-latest + permissions: {} + steps: + - name: Setup Scripts + uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + with: + destination: /opt/gh-aw/actions + - name: Download cache-memory artifact (default) + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + continue-on-error: true + with: + name: cache-memory + path: /tmp/gh-aw/cache-memory + - name: Save cache-memory to cache (default) + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + with: + key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} + path: /tmp/gh-aw/cache-memory + diff --git a/.github/workflows/memory-safety-report.md b/.github/workflows/memory-safety-report.md index 0b95b2f29..a492c0cb1 100644 --- a/.github/workflows/memory-safety-report.md +++ b/.github/workflows/memory-safety-report.md @@ -15,7 +15,7 @@ timeout-minutes: 30 permissions: actions: read contents: read - discussions: write + discussions: read network: defaults @@ -202,4 +202,4 @@ Store the current run's results in cache memory for future comparison: - **DO NOT** attempt to fix the findings automatically. - **DO** close older Memory Safety discussions automatically (configured via `close-older-discussions: true`). - **DO** always report the commit SHA so findings can be correlated with specific code versions. -- **DO** use cache memory to track trends over multiple runs. +- **DO** use cache memory to track trends over multiple runs. \ No newline at end of file From e4b85d234ebf341b7c3896895ed4ad5f7aefb714 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 16:44:45 +0000 Subject: [PATCH 16/29] Initial plan From 7d19851c2f1aed00913df7fbbdf842ad449d478f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 16:48:17 +0000 Subject: [PATCH 17/29] fix: fix memory leaks detected by ASan in test code Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com> --- src/test/dl_relation.cpp | 2 ++ src/test/simplifier.cpp | 1 + 2 files changed, 3 insertions(+) diff --git a/src/test/dl_relation.cpp b/src/test/dl_relation.cpp index 1646350f2..709712bc3 100644 --- a/src/test/dl_relation.cpp +++ b/src/test/dl_relation.cpp @@ -111,6 +111,7 @@ namespace datalog { i5->deallocate(); dealloc(join1); dealloc(proj1); + dealloc(proj2); dealloc(ren1); dealloc(union1); dealloc(filterId1); @@ -281,6 +282,7 @@ namespace datalog { i5->deallocate(); dealloc(join1); dealloc(proj1); + dealloc(proj2); dealloc(ren1); dealloc(union1); dealloc(filterId1); diff --git a/src/test/simplifier.cpp b/src/test/simplifier.cpp index f3a5ba8b2..a4da49861 100644 --- a/src/test/simplifier.cpp +++ b/src/test/simplifier.cpp @@ -138,6 +138,7 @@ static void test_skolemize_bug() { Z3_ast f3 = Z3_simplify(ctx, f2); std::cout << Z3_ast_to_string(ctx, f3) << "\n"; + Z3_del_context(ctx); } From 391febed3bd92d924439e11a30f1336d332a6bad Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 16:51:12 +0000 Subject: [PATCH 18/29] Fix null pointer dereferences and uninitialized variables from discussion #8891 Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com> --- src/ast/euf/euf_mam.cpp | 1 + src/ast/sls/sls_euf_plugin.cpp | 8 ++++---- src/math/realclosure/realclosure.cpp | 6 ++++++ src/muz/spacer/spacer_context.cpp | 4 ++-- src/smt/mam.cpp | 1 + 5 files changed, 14 insertions(+), 6 deletions(-) diff --git a/src/ast/euf/euf_mam.cpp b/src/ast/euf/euf_mam.cpp index 00d9c0726..cce838c61 100644 --- a/src/ast/euf/euf_mam.cpp +++ b/src/ast/euf/euf_mam.cpp @@ -1402,6 +1402,7 @@ namespace euf { // to check it again. get_check_mark(reg) == NOT_CHECKED && is_ground(m_registers[reg]) && + instr->m_enode != nullptr && get_pat_lbl_hash(reg) == instr->m_enode->get_lbl_hash(); } diff --git a/src/ast/sls/sls_euf_plugin.cpp b/src/ast/sls/sls_euf_plugin.cpp index d1d135d1e..696944bec 100644 --- a/src/ast/sls/sls_euf_plugin.cpp +++ b/src/ast/sls/sls_euf_plugin.cpp @@ -289,23 +289,23 @@ namespace sls { b = g.find(to_app(e)->get_arg(1)); } if (lit.sign() && m.is_eq(e)) { - if (a->get_root() == b->get_root()) { + if (a && b && a->get_root() == b->get_root()) { IF_VERBOSE(0, verbose_stream() << "not disequal " << lit << " " << mk_pp(e, m) << "\n"); ctx.display(verbose_stream()); UNREACHABLE(); } } else if (!lit.sign() && m.is_eq(e)) { - if (a->get_root() != b->get_root()) { + if (a && b && a->get_root() != b->get_root()) { IF_VERBOSE(0, verbose_stream() << "not equal " << lit << " " << mk_pp(e, m) << "\n"); //UNREACHABLE(); } } - else if (to_app(e)->get_family_id() != basic_family_id && lit.sign() && g.find(e)->get_root() != g.find(m.mk_false())->get_root()) { + else if (to_app(e)->get_family_id() != basic_family_id && lit.sign() && g.find(e) && g.find(m.mk_false()) && g.find(e)->get_root() != g.find(m.mk_false())->get_root()) { IF_VERBOSE(0, verbose_stream() << "not alse " << lit << " " << mk_pp(e, m) << "\n"); //UNREACHABLE(); } - else if (to_app(e)->get_family_id() != basic_family_id && !lit.sign() && g.find(e)->get_root() != g.find(m.mk_true())->get_root()) { + else if (to_app(e)->get_family_id() != basic_family_id && !lit.sign() && g.find(e) && g.find(m.mk_true()) && g.find(e)->get_root() != g.find(m.mk_true())->get_root()) { IF_VERBOSE(0, verbose_stream() << "not true " << lit << " " << mk_pp(e, m) << "\n"); //UNREACHABLE(); } diff --git a/src/math/realclosure/realclosure.cpp b/src/math/realclosure/realclosure.cpp index 80e6420bd..8b11e1725 100644 --- a/src/math/realclosure/realclosure.cpp +++ b/src/math/realclosure/realclosure.cpp @@ -3458,6 +3458,8 @@ namespace realclosure { if (sc) sc = sc->prev(); i--; } + if (!sc) + return 0; return ext->sdt()->qs()[sc->qidx()].size(); } @@ -3474,6 +3476,8 @@ namespace realclosure { if (sc) sc = sc->prev(); i--; } + if (!sc) + return 0; const polynomial & q = ext->sdt()->qs()[sc->qidx()]; return q.size(); } @@ -3491,6 +3495,8 @@ namespace realclosure { if (sc) sc = sc->prev(); i--; } + if (!sc) + return numeral(); const polynomial & q = ext->sdt()->qs()[sc->qidx()]; if (j >= q.size()) return numeral(); diff --git a/src/muz/spacer/spacer_context.cpp b/src/muz/spacer/spacer_context.cpp index cf27f23cb..3f46dadb4 100644 --- a/src/muz/spacer/spacer_context.cpp +++ b/src/muz/spacer/spacer_context.cpp @@ -3330,7 +3330,7 @@ bool context::is_reachable(pob &n) model_ref mdl; // used in case n is reachable - bool is_concrete; + bool is_concrete = false; const datalog::rule * r = nullptr; // denotes which predecessor's (along r) reach facts are used bool_vector reach_pred_used; @@ -3521,7 +3521,7 @@ lbool context::expand_pob(pob& n, pob_ref_buffer &out) model_ref model; // used in case n is reachable - bool is_concrete; + bool is_concrete = false; const datalog::rule * r = nullptr; // denotes which predecessor's (along r) reach facts are used bool_vector reach_pred_used; diff --git a/src/smt/mam.cpp b/src/smt/mam.cpp index a27fc293f..3719f30c9 100644 --- a/src/smt/mam.cpp +++ b/src/smt/mam.cpp @@ -1360,6 +1360,7 @@ namespace { // to check it again. get_check_mark(reg) == NOT_CHECKED && is_ground(m_registers[reg]) && + instr->m_enode != nullptr && get_pat_lbl_hash(reg) == instr->m_enode->get_lbl_hash(); } From a6c94a1bfc5ce12a0a79fe60e1909937b5ceb578 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 9 Mar 2026 16:57:59 +0000 Subject: [PATCH 19/29] Refactor sls_euf_plugin.cpp validate_model and add SASSERT in udoc_relation.cpp Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com> --- src/ast/sls/sls_euf_plugin.cpp | 20 ++++++++++++++------ src/muz/rel/udoc_relation.cpp | 1 + 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/src/ast/sls/sls_euf_plugin.cpp b/src/ast/sls/sls_euf_plugin.cpp index 696944bec..8ab5f73df 100644 --- a/src/ast/sls/sls_euf_plugin.cpp +++ b/src/ast/sls/sls_euf_plugin.cpp @@ -301,13 +301,21 @@ namespace sls { //UNREACHABLE(); } } - else if (to_app(e)->get_family_id() != basic_family_id && lit.sign() && g.find(e) && g.find(m.mk_false()) && g.find(e)->get_root() != g.find(m.mk_false())->get_root()) { - IF_VERBOSE(0, verbose_stream() << "not alse " << lit << " " << mk_pp(e, m) << "\n"); - //UNREACHABLE(); + else if (to_app(e)->get_family_id() != basic_family_id && lit.sign()) { + auto* ne = g.find(e); + auto* nf = g.find(m.mk_false()); + if (ne && nf && ne->get_root() != nf->get_root()) { + IF_VERBOSE(0, verbose_stream() << "not false " << lit << " " << mk_pp(e, m) << "\n"); + //UNREACHABLE(); + } } - else if (to_app(e)->get_family_id() != basic_family_id && !lit.sign() && g.find(e) && g.find(m.mk_true()) && g.find(e)->get_root() != g.find(m.mk_true())->get_root()) { - IF_VERBOSE(0, verbose_stream() << "not true " << lit << " " << mk_pp(e, m) << "\n"); - //UNREACHABLE(); + else if (to_app(e)->get_family_id() != basic_family_id && !lit.sign()) { + auto* ne = g.find(e); + auto* nt = g.find(m.mk_true()); + if (ne && nt && ne->get_root() != nt->get_root()) { + IF_VERBOSE(0, verbose_stream() << "not true " << lit << " " << mk_pp(e, m) << "\n"); + //UNREACHABLE(); + } } } diff --git a/src/muz/rel/udoc_relation.cpp b/src/muz/rel/udoc_relation.cpp index 068af24b6..17d68660e 100644 --- a/src/muz/rel/udoc_relation.cpp +++ b/src/muz/rel/udoc_relation.cpp @@ -54,6 +54,7 @@ namespace datalog { col = column_idx(orig[i]); limit = col + column_num_bits(orig[i]); } else { + SASSERT(other); unsigned idx = orig[i] - get_num_cols(); col = get_num_bits() + other->column_idx(idx); limit = col + other->column_num_bits(idx); From 78fa6d5ee8da5489e495648f1f974cc0e4722ee6 Mon Sep 17 00:00:00 2001 From: Lev Nachmanson Date: Mon, 9 Mar 2026 10:51:26 -1000 Subject: [PATCH 20/29] allow calling lp().restore_x() only in case the number of column in lp() remained the same: it might grow Signed-off-by: Lev Nachmanson --- src/math/lp/lar_core_solver.h | 2 +- src/math/lp/nra_solver.cpp | 4 ++-- src/smt/theory_lra.cpp | 7 +++++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/src/math/lp/lar_core_solver.h b/src/math/lp/lar_core_solver.h index 1773317be..258bfdad2 100644 --- a/src/math/lp/lar_core_solver.h +++ b/src/math/lp/lar_core_solver.h @@ -81,8 +81,8 @@ public: void backup_x() { m_backup_x = m_r_x; } void restore_x() { + SASSERT(m_backup_x.size() == m_r_A.column_count()); m_r_x = m_backup_x; - m_r_x.reserve(m_m()); } vector const& r_x() const { return m_r_x; } diff --git a/src/math/lp/nra_solver.cpp b/src/math/lp/nra_solver.cpp index bfedd12e4..dae20dc69 100644 --- a/src/math/lp/nra_solver.cpp +++ b/src/math/lp/nra_solver.cpp @@ -241,16 +241,16 @@ struct solver::imp { lra.init_model(); for (lp::constraint_index ci : lra.constraints().indices()) if (!check_constraint(ci)) { - VERIFY(!m_coi.constraints().contains(ci)); IF_VERBOSE(0, verbose_stream() << "constraint " << ci << " violated\n"; lra.constraints().display(verbose_stream())); + UNREACHABLE(); return l_undef; } for (auto const &m : m_nla_core.emons()) { if (!check_monic(m)) { - VERIFY(!m_coi.mons().contains(m.var())); IF_VERBOSE(0, verbose_stream() << "monic " << m << " violated\n"; lra.constraints().display(verbose_stream())); + UNREACHABLE(); return l_undef; } } diff --git a/src/smt/theory_lra.cpp b/src/smt/theory_lra.cpp index 05053f4ea..91c47bbf8 100644 --- a/src/smt/theory_lra.cpp +++ b/src/smt/theory_lra.cpp @@ -3988,6 +3988,7 @@ public: lp::impq term_max; lp::lp_status st; lpvar vi = 0; + unsigned size_of_backup = lp().column_count(); if (has_int()) { lp().backup_x(); } @@ -4008,7 +4009,8 @@ public: if (has_int() && lp().has_inf_int()) { st = lp::lp_status::FEASIBLE; - lp().restore_x(); + if (lp().column_count() == size_of_backup) + lp().restore_x(); } if (m_nla && (st == lp::lp_status::OPTIMAL || st == lp::lp_status::UNBOUNDED)) { switch (check_nla(level)) { @@ -4020,7 +4022,8 @@ public: st = lp::lp_status::UNBOUNDED; break; } - lp().restore_x(); + if (lp().column_count() == size_of_backup) + lp().restore_x(); } } switch (st) { From d21231fc22b7f5b578ef14e0ce072343d1d3db5a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Mar 2026 22:44:52 +0000 Subject: [PATCH 21/29] Bump actions/checkout from 4 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](https://github.com/actions/checkout/compare/v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/Windows.yml | 2 +- .github/workflows/android-build.yml | 2 +- .github/workflows/build-z3-cache.yml | 2 +- .github/workflows/ci.yml | 20 +++++------ .github/workflows/coverage.yml | 2 +- .github/workflows/cross-build.yml | 2 +- .github/workflows/docs.yml | 4 +-- .../workflows/memory-safety-report.lock.yml | 2 +- .github/workflows/memory-safety.yml | 4 +-- .../workflows/msvc-static-build-clang-cl.yml | 2 +- .github/workflows/msvc-static-build.yml | 2 +- .github/workflows/nightly-validation.yml | 36 +++++++++---------- .github/workflows/nightly.yml | 32 ++++++++--------- .github/workflows/nuget-build.yml | 16 ++++----- .github/workflows/ocaml.yaml | 2 +- .github/workflows/pyodide.yml | 2 +- .github/workflows/qf-s-benchmark.lock.yml | 2 +- .github/workflows/release.yml | 34 +++++++++--------- .github/workflows/wasm-release.yml | 2 +- .github/workflows/wasm.yml | 2 +- .github/workflows/wip.yml | 2 +- .github/workflows/zipt-code-reviewer.lock.yml | 2 +- 22 files changed, 88 insertions(+), 88 deletions(-) diff --git a/.github/workflows/Windows.yml b/.github/workflows/Windows.yml index 9441f9930..24008bc72 100644 --- a/.github/workflows/Windows.yml +++ b/.github/workflows/Windows.yml @@ -28,7 +28,7 @@ jobs: runs-on: windows-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Add msbuild to PATH uses: microsoft/setup-msbuild@v2 - run: | diff --git a/.github/workflows/android-build.yml b/.github/workflows/android-build.yml index 649cde2ce..4ffae107d 100644 --- a/.github/workflows/android-build.yml +++ b/.github/workflows/android-build.yml @@ -22,7 +22,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Configure CMake and build run: | diff --git a/.github/workflows/build-z3-cache.yml b/.github/workflows/build-z3-cache.yml index 4f3ce7089..5d6e22432 100644 --- a/.github/workflows/build-z3-cache.yml +++ b/.github/workflows/build-z3-cache.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index af61639da..ae2136e4d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,7 +38,7 @@ jobs: runRegressions: false steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -81,7 +81,7 @@ jobs: container: "quay.io/pypa/manylinux_2_34_x86_64:latest" steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python virtual environment run: "/opt/python/cp38-cp38/bin/python -m venv $PWD/env" @@ -113,7 +113,7 @@ jobs: container: quay.io/pypa/manylinux_2_28_x86_64:latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download ARM toolchain run: curl -L -o /tmp/arm-toolchain.tar.xz 'https://developer.arm.com/-/media/Files/downloads/gnu/13.3.rel1/binrel/arm-gnu-toolchain-13.3.rel1-x86_64-aarch64-none-linux-gnu.tar.xz' @@ -149,7 +149,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup OCaml uses: ocaml/setup-ocaml@v3 @@ -204,7 +204,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup OCaml uses: ocaml/setup-ocaml@v3 @@ -298,7 +298,7 @@ jobs: runTests: false steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -388,7 +388,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -436,7 +436,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -476,7 +476,7 @@ jobs: timeout-minutes: 10 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -496,7 +496,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index e07e3e011..aaae14b23 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -19,7 +19,7 @@ jobs: COV_DETAILS_PATH: ${{github.workspace}}/cov-details steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@v6 - name: Setup run: | diff --git a/.github/workflows/cross-build.yml b/.github/workflows/cross-build.yml index f8213abce..9c5dedaa0 100644 --- a/.github/workflows/cross-build.yml +++ b/.github/workflows/cross-build.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Install cross build tools run: apt update && apt install -y ninja-build cmake python3 g++-13-${{ matrix.arch }}-linux-gnu diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index cfea8b53f..d5262b6b2 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Go uses: actions/setup-go@v6 @@ -46,7 +46,7 @@ jobs: needs: build-go-docs steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup node uses: actions/setup-node@v6 diff --git a/.github/workflows/memory-safety-report.lock.yml b/.github/workflows/memory-safety-report.lock.yml index a7b0dca07..df9e4d413 100644 --- a/.github/workflows/memory-safety-report.lock.yml +++ b/.github/workflows/memory-safety-report.lock.yml @@ -275,7 +275,7 @@ jobs: - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/memory-safety.yml b/.github/workflows/memory-safety.yml index 2c8846d68..bd277583c 100644 --- a/.github/workflows/memory-safety.yml +++ b/.github/workflows/memory-safety.yml @@ -34,7 +34,7 @@ jobs: ASAN_OPTIONS: "detect_leaks=1:halt_on_error=0:print_stats=1:log_path=/tmp/asan" steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v5 @@ -124,7 +124,7 @@ jobs: UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=0:log_path=/tmp/ubsan" steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v5 diff --git a/.github/workflows/msvc-static-build-clang-cl.yml b/.github/workflows/msvc-static-build-clang-cl.yml index f57bbbaa7..e13b3ddf1 100644 --- a/.github/workflows/msvc-static-build-clang-cl.yml +++ b/.github/workflows/msvc-static-build-clang-cl.yml @@ -14,7 +14,7 @@ jobs: BUILD_TYPE: Release steps: - name: Checkout Repo - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Build run: | diff --git a/.github/workflows/msvc-static-build.yml b/.github/workflows/msvc-static-build.yml index 379dad1d1..f37f9804b 100644 --- a/.github/workflows/msvc-static-build.yml +++ b/.github/workflows/msvc-static-build.yml @@ -14,7 +14,7 @@ jobs: BUILD_TYPE: Release steps: - name: Checkout Repo - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Build run: | diff --git a/.github/workflows/nightly-validation.yml b/.github/workflows/nightly-validation.yml index 2cb6f4233..013481e42 100644 --- a/.github/workflows/nightly-validation.yml +++ b/.github/workflows/nightly-validation.yml @@ -27,7 +27,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup .NET uses: actions/setup-dotnet@v5 @@ -87,7 +87,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup .NET uses: actions/setup-dotnet@v5 @@ -142,7 +142,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup .NET uses: actions/setup-dotnet@v5 @@ -214,7 +214,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup .NET uses: actions/setup-dotnet@v5 @@ -290,7 +290,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download Windows x64 build from release env: @@ -326,7 +326,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download Windows x86 build from release env: @@ -362,7 +362,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download Ubuntu x64 build from release env: @@ -395,7 +395,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download macOS x64 build from release env: @@ -428,7 +428,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download macOS ARM64 build from release env: @@ -465,7 +465,7 @@ jobs: timeout-minutes: 60 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -504,7 +504,7 @@ jobs: timeout-minutes: 60 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -544,7 +544,7 @@ jobs: timeout-minutes: 60 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -587,7 +587,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -616,7 +616,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -645,7 +645,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -674,7 +674,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -710,7 +710,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download macOS x64 build from release env: @@ -762,7 +762,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download macOS ARM64 build from release env: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index a3f28e1a8..aecf9989a 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -35,7 +35,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -58,7 +58,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -86,7 +86,7 @@ jobs: timeout-minutes: 15 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download macOS x64 Build uses: actions/download-artifact@v8.0.0 @@ -134,7 +134,7 @@ jobs: timeout-minutes: 15 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download macOS ARM64 Build uses: actions/download-artifact@v8.0.0 @@ -181,7 +181,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -210,7 +210,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -245,7 +245,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -301,7 +301,7 @@ jobs: container: quay.io/pypa/manylinux_2_28_x86_64:latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python environment run: | @@ -331,7 +331,7 @@ jobs: container: quay.io/pypa/manylinux_2_28_x86_64:latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download ARM toolchain run: curl -L -o /tmp/arm-toolchain.tar.xz 'https://developer.arm.com/-/media/Files/downloads/gnu/13.3.rel1/binrel/arm-gnu-toolchain-13.3.rel1-x86_64-aarch64-none-linux-gnu.tar.xz' @@ -370,7 +370,7 @@ jobs: timeout-minutes: 120 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -396,7 +396,7 @@ jobs: timeout-minutes: 120 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -422,7 +422,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -452,7 +452,7 @@ jobs: runs-on: windows-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -527,7 +527,7 @@ jobs: runs-on: windows-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -572,7 +572,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -681,7 +681,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download all artifacts uses: actions/download-artifact@v8.0.0 diff --git a/.github/workflows/nuget-build.yml b/.github/workflows/nuget-build.yml index 0c4fae581..df1b9ceb3 100644 --- a/.github/workflows/nuget-build.yml +++ b/.github/workflows/nuget-build.yml @@ -20,7 +20,7 @@ jobs: runs-on: windows-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -44,7 +44,7 @@ jobs: runs-on: windows-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -68,7 +68,7 @@ jobs: runs-on: windows-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -92,7 +92,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -113,7 +113,7 @@ jobs: runs-on: macos-14 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -134,7 +134,7 @@ jobs: runs-on: macos-14 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -157,7 +157,7 @@ jobs: runs-on: windows-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -212,7 +212,7 @@ jobs: runs-on: windows-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 diff --git a/.github/workflows/ocaml.yaml b/.github/workflows/ocaml.yaml index 595b95a9e..87fafa3aa 100644 --- a/.github/workflows/ocaml.yaml +++ b/.github/workflows/ocaml.yaml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 # Cache ccache (shared across runs) - name: Cache ccache diff --git a/.github/workflows/pyodide.yml b/.github/workflows/pyodide.yml index 3ecc51ffa..6825850c3 100644 --- a/.github/workflows/pyodide.yml +++ b/.github/workflows/pyodide.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup packages run: sudo apt-get update && sudo apt-get install -y python3-dev python3-pip python3-venv diff --git a/.github/workflows/qf-s-benchmark.lock.yml b/.github/workflows/qf-s-benchmark.lock.yml index 334b7aaf7..3f15fb6ad 100644 --- a/.github/workflows/qf-s-benchmark.lock.yml +++ b/.github/workflows/qf-s-benchmark.lock.yml @@ -248,7 +248,7 @@ jobs: - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Checkout c3 branch - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 persist-credentials: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b9f3eb8cb..01f3038c7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -36,7 +36,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -65,7 +65,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -96,7 +96,7 @@ jobs: timeout-minutes: 15 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download macOS x64 Build uses: actions/download-artifact@v8.0.0 @@ -144,7 +144,7 @@ jobs: timeout-minutes: 15 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download macOS ARM64 Build uses: actions/download-artifact@v8.0.0 @@ -191,7 +191,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -220,7 +220,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -255,7 +255,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -311,7 +311,7 @@ jobs: container: quay.io/pypa/manylinux_2_28_x86_64:latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python environment run: | @@ -341,7 +341,7 @@ jobs: container: quay.io/pypa/manylinux_2_28_x86_64:latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download ARM toolchain run: curl -L -o /tmp/arm-toolchain.tar.xz 'https://developer.arm.com/-/media/Files/downloads/gnu/13.3.rel1/binrel/arm-gnu-toolchain-13.3.rel1-x86_64-aarch64-none-linux-gnu.tar.xz' @@ -380,7 +380,7 @@ jobs: timeout-minutes: 120 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -406,7 +406,7 @@ jobs: timeout-minutes: 120 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -432,7 +432,7 @@ jobs: timeout-minutes: 90 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -462,7 +462,7 @@ jobs: runs-on: windows-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -537,7 +537,7 @@ jobs: runs-on: windows-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -582,7 +582,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v6 @@ -689,7 +689,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download all artifacts uses: actions/download-artifact@v8.0.0 @@ -745,7 +745,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Download NuGet packages uses: actions/download-artifact@v8.0.0 diff --git a/.github/workflows/wasm-release.yml b/.github/workflows/wasm-release.yml index 2fb04d49f..ad4bb8b7e 100644 --- a/.github/workflows/wasm-release.yml +++ b/.github/workflows/wasm-release.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup node uses: actions/setup-node@v6 diff --git a/.github/workflows/wasm.yml b/.github/workflows/wasm.yml index 0eaa8f863..6168d9470 100644 --- a/.github/workflows/wasm.yml +++ b/.github/workflows/wasm.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Setup node uses: actions/setup-node@v6 diff --git a/.github/workflows/wip.yml b/.github/workflows/wip.yml index edb4ec812..47d65c6d3 100644 --- a/.github/workflows/wip.yml +++ b/.github/workflows/wip.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@v6 - name: Configure CMake run: cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} diff --git a/.github/workflows/zipt-code-reviewer.lock.yml b/.github/workflows/zipt-code-reviewer.lock.yml index 5bab1b5fd..f41cc2ddd 100644 --- a/.github/workflows/zipt-code-reviewer.lock.yml +++ b/.github/workflows/zipt-code-reviewer.lock.yml @@ -256,7 +256,7 @@ jobs: - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false From a53d63be8594793a1be9f24cfc5a55e641fb439d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Mar 2026 22:47:13 +0000 Subject: [PATCH 22/29] Bump github/gh-aw from 0.45.6 to 0.57.0 Bumps [github/gh-aw](https://github.com/github/gh-aw) from 0.45.6 to 0.57.0. - [Release notes](https://github.com/github/gh-aw/releases) - [Commits](https://github.com/github/gh-aw/compare/v0.45.6...v0.57.0) --- updated-dependencies: - dependency-name: github/gh-aw dependency-version: 0.57.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/a3-python.lock.yml | 10 +++++----- .github/workflows/agentics-maintenance.yml | 2 +- .github/workflows/api-coherence-checker.lock.yml | 12 ++++++------ .github/workflows/build-warning-fixer.lock.yml | 10 +++++----- .../workflows/code-conventions-analyzer.lock.yml | 12 ++++++------ .github/workflows/code-simplifier.lock.yml | 12 ++++++------ .github/workflows/csa-analysis.lock.yml | 10 +++++----- .github/workflows/deeptest.lock.yml | 12 ++++++------ .github/workflows/issue-backlog-processor.lock.yml | 12 ++++++------ .github/workflows/memory-safety-report.lock.yml | 14 +++++++------- .github/workflows/qf-s-benchmark.lock.yml | 10 +++++----- .github/workflows/release-notes-updater.lock.yml | 10 +++++----- .github/workflows/soundness-bug-detector.lock.yml | 12 ++++++------ .github/workflows/specbot.lock.yml | 10 +++++----- .github/workflows/tactic-to-simplifier.lock.yml | 12 ++++++------ .../workflows/workflow-suggestion-agent.lock.yml | 12 ++++++------ .github/workflows/zipt-code-reviewer.lock.yml | 12 ++++++------ 17 files changed, 92 insertions(+), 92 deletions(-) diff --git a/.github/workflows/a3-python.lock.yml b/.github/workflows/a3-python.lock.yml index 19418c3d3..9fe69e707 100644 --- a/.github/workflows/a3-python.lock.yml +++ b/.github/workflows/a3-python.lock.yml @@ -49,7 +49,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -247,7 +247,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -819,7 +819,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -912,7 +912,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1023,7 +1023,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml index 018d4c9b9..96572197e 100644 --- a/.github/workflows/agentics-maintenance.yml +++ b/.github/workflows/agentics-maintenance.yml @@ -49,7 +49,7 @@ jobs: pull-requests: write steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.51.6 + uses: github/gh-aw/actions/setup@v0.57.0 with: destination: /opt/gh-aw/actions diff --git a/.github/workflows/api-coherence-checker.lock.yml b/.github/workflows/api-coherence-checker.lock.yml index 0c2a50c1b..31e4bed7c 100644 --- a/.github/workflows/api-coherence-checker.lock.yml +++ b/.github/workflows/api-coherence-checker.lock.yml @@ -49,7 +49,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -254,7 +254,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Create gh-aw temp directory @@ -831,7 +831,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -922,7 +922,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1033,7 +1033,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1070,7 +1070,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/build-warning-fixer.lock.yml b/.github/workflows/build-warning-fixer.lock.yml index 15c1af900..5802752cc 100644 --- a/.github/workflows/build-warning-fixer.lock.yml +++ b/.github/workflows/build-warning-fixer.lock.yml @@ -49,7 +49,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -242,7 +242,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -804,7 +804,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -909,7 +909,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1021,7 +1021,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/code-conventions-analyzer.lock.yml b/.github/workflows/code-conventions-analyzer.lock.yml index 4867d4d7b..5c27079c0 100644 --- a/.github/workflows/code-conventions-analyzer.lock.yml +++ b/.github/workflows/code-conventions-analyzer.lock.yml @@ -49,7 +49,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -249,7 +249,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -910,7 +910,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1003,7 +1003,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1114,7 +1114,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1151,7 +1151,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 797cea8be..56e2a1614 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -54,7 +54,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -252,7 +252,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -824,7 +824,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -925,7 +925,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1020,7 +1020,7 @@ jobs: activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true') }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Check team membership for workflow @@ -1073,7 +1073,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/csa-analysis.lock.yml b/.github/workflows/csa-analysis.lock.yml index 23631e9b3..01d96f156 100644 --- a/.github/workflows/csa-analysis.lock.yml +++ b/.github/workflows/csa-analysis.lock.yml @@ -49,7 +49,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.51.6 + uses: github/gh-aw/actions/setup@v0.57.0 with: destination: /opt/gh-aw/actions - name: Validate context variables @@ -238,7 +238,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.51.6 + uses: github/gh-aw/actions/setup@v0.57.0 with: destination: /opt/gh-aw/actions - name: Create gh-aw temp directory @@ -949,7 +949,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.51.6 + uses: github/gh-aw/actions/setup@v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1053,7 +1053,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.51.6 + uses: github/gh-aw/actions/setup@v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1097,7 +1097,7 @@ jobs: GH_AW_WORKFLOW_ID_SANITIZED: csaanalysis steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.51.6 + uses: github/gh-aw/actions/setup@v0.57.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/deeptest.lock.yml b/.github/workflows/deeptest.lock.yml index e0399378b..23c1c43f6 100644 --- a/.github/workflows/deeptest.lock.yml +++ b/.github/workflows/deeptest.lock.yml @@ -55,7 +55,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -263,7 +263,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Create gh-aw temp directory @@ -885,7 +885,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -990,7 +990,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1103,7 +1103,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1166,7 +1166,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/issue-backlog-processor.lock.yml b/.github/workflows/issue-backlog-processor.lock.yml index a4b0f2bf4..95c19bbbd 100644 --- a/.github/workflows/issue-backlog-processor.lock.yml +++ b/.github/workflows/issue-backlog-processor.lock.yml @@ -49,7 +49,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -254,7 +254,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -858,7 +858,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -949,7 +949,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1061,7 +1061,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1098,7 +1098,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/memory-safety-report.lock.yml b/.github/workflows/memory-safety-report.lock.yml index a7b0dca07..1d4458e8f 100644 --- a/.github/workflows/memory-safety-report.lock.yml +++ b/.github/workflows/memory-safety-report.lock.yml @@ -57,7 +57,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -269,7 +269,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Create gh-aw temp directory @@ -838,7 +838,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -931,7 +931,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1026,7 +1026,7 @@ jobs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Check team membership for workflow @@ -1064,7 +1064,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1101,7 +1101,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/qf-s-benchmark.lock.yml b/.github/workflows/qf-s-benchmark.lock.yml index 334b7aaf7..6145fa0a4 100644 --- a/.github/workflows/qf-s-benchmark.lock.yml +++ b/.github/workflows/qf-s-benchmark.lock.yml @@ -49,7 +49,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -242,7 +242,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Create gh-aw temp directory @@ -796,7 +796,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -889,7 +889,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1000,7 +1000,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/release-notes-updater.lock.yml b/.github/workflows/release-notes-updater.lock.yml index d4576d055..11fac1eb2 100644 --- a/.github/workflows/release-notes-updater.lock.yml +++ b/.github/workflows/release-notes-updater.lock.yml @@ -49,7 +49,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -247,7 +247,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Create gh-aw temp directory @@ -799,7 +799,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -890,7 +890,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1001,7 +1001,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/soundness-bug-detector.lock.yml b/.github/workflows/soundness-bug-detector.lock.yml index 624b8c3aa..14fdf5172 100644 --- a/.github/workflows/soundness-bug-detector.lock.yml +++ b/.github/workflows/soundness-bug-detector.lock.yml @@ -56,7 +56,7 @@ jobs: title: ${{ steps.sanitized.outputs.title }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -263,7 +263,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Create gh-aw temp directory @@ -866,7 +866,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -957,7 +957,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1069,7 +1069,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1106,7 +1106,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/specbot.lock.yml b/.github/workflows/specbot.lock.yml index 4b6996d4b..58793c088 100644 --- a/.github/workflows/specbot.lock.yml +++ b/.github/workflows/specbot.lock.yml @@ -61,7 +61,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -257,7 +257,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Create gh-aw temp directory @@ -815,7 +815,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -908,7 +908,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1019,7 +1019,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/tactic-to-simplifier.lock.yml b/.github/workflows/tactic-to-simplifier.lock.yml index c002b31da..c57f2cca8 100644 --- a/.github/workflows/tactic-to-simplifier.lock.yml +++ b/.github/workflows/tactic-to-simplifier.lock.yml @@ -49,7 +49,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -253,7 +253,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Create gh-aw temp directory @@ -843,7 +843,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -932,7 +932,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1042,7 +1042,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1079,7 +1079,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/workflow-suggestion-agent.lock.yml b/.github/workflows/workflow-suggestion-agent.lock.yml index e87cf03a0..ae1882812 100644 --- a/.github/workflows/workflow-suggestion-agent.lock.yml +++ b/.github/workflows/workflow-suggestion-agent.lock.yml @@ -49,7 +49,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -254,7 +254,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Create gh-aw temp directory @@ -831,7 +831,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -922,7 +922,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1033,7 +1033,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1070,7 +1070,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@33cd6c7f1fee588654ef19def2e6a4174be66197 # v0.51.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/zipt-code-reviewer.lock.yml b/.github/workflows/zipt-code-reviewer.lock.yml index 5bab1b5fd..14e764967 100644 --- a/.github/workflows/zipt-code-reviewer.lock.yml +++ b/.github/workflows/zipt-code-reviewer.lock.yml @@ -48,7 +48,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders @@ -250,7 +250,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Create gh-aw temp directory @@ -861,7 +861,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -952,7 +952,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1062,7 +1062,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1099,7 +1099,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c3acb23c6772826a8df80b2b68ae13d268ff43e1 # v0.45.6 + uses: github/gh-aw/actions/setup@902845080df391b1f71845fcd7c303dfc0ac90b3 # v0.57.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) From d11206d3d416a22ef82d8fe788a2d05bc6016be3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Mar 2026 22:47:37 +0000 Subject: [PATCH 23/29] Bump actions/download-artifact from 4 to 8 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 8. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v4...v8) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/docs.yml | 2 +- .../workflows/memory-safety-report.lock.yml | 12 +++--- .github/workflows/memory-safety.yml | 2 +- .github/workflows/nightly.yml | 36 ++++++++--------- .github/workflows/nuget-build.yml | 4 +- .github/workflows/qf-s-benchmark.lock.yml | 10 ++--- .github/workflows/release.yml | 40 +++++++++---------- .github/workflows/zipt-code-reviewer.lock.yml | 12 +++--- 8 files changed, 59 insertions(+), 59 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index cfea8b53f..607c7900b 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -125,7 +125,7 @@ jobs: python3 mk_api_doc.py --js --go --output-dir=api --mld --z3py-package-path=../build-x64/python/z3 --build=../build-x64 - name: Download Go Documentation - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: go-docs path: doc/api/html/go/ diff --git a/.github/workflows/memory-safety-report.lock.yml b/.github/workflows/memory-safety-report.lock.yml index a7b0dca07..2e5253e80 100644 --- a/.github/workflows/memory-safety-report.lock.yml +++ b/.github/workflows/memory-safety-report.lock.yml @@ -648,7 +648,7 @@ jobs: const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Download prompt artifact - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: prompt path: /tmp/gh-aw/aw-prompts @@ -843,7 +843,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -936,13 +936,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1069,7 +1069,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1105,7 +1105,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 continue-on-error: true with: name: cache-memory diff --git a/.github/workflows/memory-safety.yml b/.github/workflows/memory-safety.yml index 2c8846d68..e07e2cba9 100644 --- a/.github/workflows/memory-safety.yml +++ b/.github/workflows/memory-safety.yml @@ -213,7 +213,7 @@ jobs: if: always() steps: - name: Download all artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: path: reports/ diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index a3f28e1a8..b6474cf43 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -89,7 +89,7 @@ jobs: uses: actions/checkout@v6.0.2 - name: Download macOS x64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: macOsBuild path: artifacts @@ -137,7 +137,7 @@ jobs: uses: actions/checkout@v6.0.2 - name: Download macOS ARM64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: MacArm64 path: artifacts @@ -460,37 +460,37 @@ jobs: python-version: '3.x' - name: Download Win64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: WindowsBuild-x64 path: package - name: Download Win ARM64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: WindowsBuild-arm64 path: package - name: Download Ubuntu Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: UbuntuBuild path: package - name: Download Ubuntu ARM64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: UbuntuArm64 path: package - name: Download macOS Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: macOsBuild path: package - name: Download macOS Arm64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: MacArm64 path: package @@ -535,7 +535,7 @@ jobs: python-version: '3.x' - name: Download artifacts - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: WindowsBuild-x86 path: package @@ -580,43 +580,43 @@ jobs: python-version: '3.x' - name: Download macOS x64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: macOsBuild path: artifacts - name: Download macOS Arm64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: MacArm64 path: artifacts - name: Download Win64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: WindowsBuild-x64 path: artifacts - name: Download Win32 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: WindowsBuild-x86 path: artifacts - name: Download Win ARM64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: WindowsBuild-arm64 path: artifacts - name: Download ManyLinux AMD64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: ManyLinuxPythonBuildAMD64 path: artifacts - name: Download ManyLinux Arm64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: ManyLinuxPythonBuildArm64 path: artifacts @@ -684,7 +684,7 @@ jobs: uses: actions/checkout@v6.0.2 - name: Download all artifacts - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: path: tmp @@ -749,7 +749,7 @@ jobs: contents: read steps: - name: Download Python packages - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: PythonPackages path: dist diff --git a/.github/workflows/nuget-build.yml b/.github/workflows/nuget-build.yml index 0c4fae581..9ec55d0f9 100644 --- a/.github/workflows/nuget-build.yml +++ b/.github/workflows/nuget-build.yml @@ -165,7 +165,7 @@ jobs: python-version: '3.x' - name: Download all artifacts - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: path: packages @@ -220,7 +220,7 @@ jobs: python-version: '3.x' - name: Download x86 artifact - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: windows-x86 path: packages diff --git a/.github/workflows/qf-s-benchmark.lock.yml b/.github/workflows/qf-s-benchmark.lock.yml index 334b7aaf7..377b8b514 100644 --- a/.github/workflows/qf-s-benchmark.lock.yml +++ b/.github/workflows/qf-s-benchmark.lock.yml @@ -613,7 +613,7 @@ jobs: const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Download prompt artifact - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: prompt path: /tmp/gh-aw/aw-prompts @@ -801,7 +801,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -894,13 +894,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1005,7 +1005,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b9f3eb8cb..29993475f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -99,7 +99,7 @@ jobs: uses: actions/checkout@v6.0.2 - name: Download macOS x64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: macOsBuild path: artifacts @@ -147,7 +147,7 @@ jobs: uses: actions/checkout@v6.0.2 - name: Download macOS ARM64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: MacArm64 path: artifacts @@ -470,37 +470,37 @@ jobs: python-version: '3.x' - name: Download Win64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: WindowsBuild-x64 path: package - name: Download Win ARM64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: WindowsBuild-arm64 path: package - name: Download Ubuntu Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: UbuntuBuild path: package - name: Download Ubuntu ARM64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: UbuntuArm64 path: package - name: Download macOS Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: macOsBuild path: package - name: Download macOS Arm64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: MacArm64 path: package @@ -545,7 +545,7 @@ jobs: python-version: '3.x' - name: Download artifacts - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: WindowsBuild-x86 path: package @@ -590,43 +590,43 @@ jobs: python-version: '3.x' - name: Download macOS x64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: macOsBuild path: artifacts - name: Download macOS Arm64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: MacArm64 path: artifacts - name: Download Win64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: WindowsBuild-x64 path: artifacts - name: Download Win32 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: WindowsBuild-x86 path: artifacts - name: Download Win ARM64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: WindowsBuild-arm64 path: artifacts - name: Download ManyLinux AMD64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: ManyLinuxPythonBuildAMD64 path: artifacts - name: Download ManyLinux Arm64 Build - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: ManyLinuxPythonBuildArm64 path: artifacts @@ -692,7 +692,7 @@ jobs: uses: actions/checkout@v6.0.2 - name: Download all artifacts - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: path: tmp @@ -748,13 +748,13 @@ jobs: uses: actions/checkout@v6.0.2 - name: Download NuGet packages - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: NuGet path: packages - name: Download NuGet32 packages - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: NuGet32 path: packages @@ -781,7 +781,7 @@ jobs: contents: read steps: - name: Download Python packages - uses: actions/download-artifact@v8.0.0 + uses: actions/download-artifact@v8 with: name: PythonPackage path: dist diff --git a/.github/workflows/zipt-code-reviewer.lock.yml b/.github/workflows/zipt-code-reviewer.lock.yml index 5bab1b5fd..118a96185 100644 --- a/.github/workflows/zipt-code-reviewer.lock.yml +++ b/.github/workflows/zipt-code-reviewer.lock.yml @@ -651,7 +651,7 @@ jobs: const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Download prompt artifact - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: prompt path: /tmp/gh-aw/aw-prompts @@ -866,7 +866,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -957,13 +957,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1067,7 +1067,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1103,7 +1103,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 continue-on-error: true with: name: cache-memory From 6805d0896d76bbc7b41d7d8925a0a8961a185fc6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Mar 2026 22:48:06 +0000 Subject: [PATCH 24/29] Bump actions/cache from 4.3.0 to 5.0.3 Bumps [actions/cache](https://github.com/actions/cache) from 4.3.0 to 5.0.3. - [Release notes](https://github.com/actions/cache/releases) - [Commits](https://github.com/actions/cache/compare/v4.3.0...v5.0.3) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.3 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/memory-safety-report.lock.yml | 4 ++-- .github/workflows/zipt-code-reviewer.lock.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/memory-safety-report.lock.yml b/.github/workflows/memory-safety-report.lock.yml index a7b0dca07..ab075ef6b 100644 --- a/.github/workflows/memory-safety-report.lock.yml +++ b/.github/workflows/memory-safety-report.lock.yml @@ -283,7 +283,7 @@ jobs: - name: Create cache-memory directory run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data - uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory @@ -1111,7 +1111,7 @@ jobs: name: cache-memory path: /tmp/gh-aw/cache-memory - name: Save cache-memory to cache (default) - uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory diff --git a/.github/workflows/zipt-code-reviewer.lock.yml b/.github/workflows/zipt-code-reviewer.lock.yml index 5bab1b5fd..a80aaf434 100644 --- a/.github/workflows/zipt-code-reviewer.lock.yml +++ b/.github/workflows/zipt-code-reviewer.lock.yml @@ -264,7 +264,7 @@ jobs: - name: Create cache-memory directory run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data - uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory @@ -1109,7 +1109,7 @@ jobs: name: cache-memory path: /tmp/gh-aw/cache-memory - name: Save cache-memory to cache (default) - uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory From 2f10db79b014c1af13737c2bdfd30d04dbd1534e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Mar 2026 22:48:37 +0000 Subject: [PATCH 25/29] Bump actions/upload-artifact from 4 to 7 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v4...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/android-build.yml | 2 +- .github/workflows/coverage.yml | 4 +-- .github/workflows/docs.yml | 2 +- .../workflows/memory-safety-report.lock.yml | 14 +++++----- .github/workflows/memory-safety.yml | 4 +-- .github/workflows/nightly.yml | 26 +++++++++---------- .github/workflows/nuget-build.yml | 16 ++++++------ .github/workflows/qf-s-benchmark.lock.yml | 12 ++++----- .github/workflows/release.yml | 26 +++++++++---------- .github/workflows/zipt-code-reviewer.lock.yml | 14 +++++----- 10 files changed, 60 insertions(+), 60 deletions(-) diff --git a/.github/workflows/android-build.yml b/.github/workflows/android-build.yml index 649cde2ce..f315e8384 100644 --- a/.github/workflows/android-build.yml +++ b/.github/workflows/android-build.yml @@ -33,7 +33,7 @@ jobs: tar -cvf z3-build-${{ matrix.android-abi }}.tar *.jar *.so - name: Archive production artifacts - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@v7 with: name: android-build-${{ matrix.android-abi }} path: build/z3-build-${{ matrix.android-abi }}.tar diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index e07e3e011..08ae99656 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -89,13 +89,13 @@ jobs: id: date run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - - uses: actions/upload-artifact@v7.0.0 + - uses: actions/upload-artifact@v7 with: name: coverage-${{steps.date.outputs.date}} path: ${{github.workspace}}/coverage.html retention-days: 4 - - uses: actions/upload-artifact@v7.0.0 + - uses: actions/upload-artifact@v7 with: name: coverage-details-${{steps.date.outputs.date}} path: ${{env.COV_DETAILS_PATH}} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index cfea8b53f..a2e9a8177 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -34,7 +34,7 @@ jobs: python3 mk_go_doc.py --output-dir=api/html/go --go-api-path=../src/api/go - name: Upload Go Documentation - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@v7 with: name: go-docs path: doc/api/html/go/ diff --git a/.github/workflows/memory-safety-report.lock.yml b/.github/workflows/memory-safety-report.lock.yml index a7b0dca07..3e3369814 100644 --- a/.github/workflows/memory-safety-report.lock.yml +++ b/.github/workflows/memory-safety-report.lock.yml @@ -235,7 +235,7 @@ jobs: run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Upload prompt artifact if: success() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: prompt path: /tmp/gh-aw/aw-prompts/prompt.txt @@ -728,7 +728,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Safe Outputs if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: safe-output path: ${{ env.GH_AW_SAFE_OUTPUTS }} @@ -750,13 +750,13 @@ jobs: await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: agent-output path: ${{ env.GH_AW_AGENT_OUTPUT }} if-no-files-found: warn - name: Upload engine output files - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: agent_outputs path: | @@ -799,7 +799,7 @@ jobs: echo 'AWF binary not installed, skipping firewall log summary' fi - name: Upload cache-memory data as artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: always() with: name: cache-memory @@ -807,7 +807,7 @@ jobs: - name: Upload agent artifacts if: always() continue-on-error: true - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: agent-artifacts path: | @@ -1014,7 +1014,7 @@ jobs: await main(); - name: Upload threat detection log if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: threat-detection.log path: /tmp/gh-aw/threat-detection/detection.log diff --git a/.github/workflows/memory-safety.yml b/.github/workflows/memory-safety.yml index 2c8846d68..0a0643aae 100644 --- a/.github/workflows/memory-safety.yml +++ b/.github/workflows/memory-safety.yml @@ -107,7 +107,7 @@ jobs: - name: Upload ASan reports if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: asan-reports path: /tmp/asan-reports/ @@ -197,7 +197,7 @@ jobs: - name: Upload UBSan reports if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: ubsan-reports path: /tmp/ubsan-reports/ diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index a3f28e1a8..e339f6a28 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -46,7 +46,7 @@ jobs: run: python scripts/mk_unix_dist.py --dotnet-key=$GITHUB_WORKSPACE/resources/z3.snk --arch=x64 - name: Upload artifact - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@v7 with: name: macOsBuild path: dist/*.zip @@ -69,7 +69,7 @@ jobs: run: python scripts/mk_unix_dist.py --dotnet-key=$GITHUB_WORKSPACE/resources/z3.snk --arch=arm64 - name: Upload artifact - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@v7 with: name: MacArm64 path: dist/*.zip @@ -198,7 +198,7 @@ jobs: run: python z3test/scripts/test_benchmarks.py build-dist/z3 z3test/regressions/smt2 - name: Upload artifact - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@v7 with: name: UbuntuBuild path: dist/*.zip @@ -233,7 +233,7 @@ jobs: python scripts/mk_unix_dist.py --nodotnet --arch=arm64 - name: Upload artifact - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@v7 with: name: UbuntuArm64 path: dist/*.zip @@ -288,7 +288,7 @@ jobs: run: zip -r z3doc.zip doc/api - name: Upload artifact - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@v7 with: name: UbuntuDoc path: z3doc.zip @@ -318,7 +318,7 @@ jobs: run: pip install ./src/api/python/wheelhouse/*.whl && python - Date: Tue, 10 Mar 2026 16:15:09 +0000 Subject: [PATCH 26/29] Initial plan From 42eee12c2fd70e813a2e5859d2c41ad284c0466c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Mar 2026 16:17:24 +0000 Subject: [PATCH 27/29] Code simplifications in sls_euf_plugin.cpp and realclosure.cpp Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com> --- src/ast/sls/sls_euf_plugin.cpp | 49 ++++++++++++++-------------- src/math/realclosure/realclosure.cpp | 33 +++++++------------ 2 files changed, 37 insertions(+), 45 deletions(-) diff --git a/src/ast/sls/sls_euf_plugin.cpp b/src/ast/sls/sls_euf_plugin.cpp index 8ab5f73df..ff1a72748 100644 --- a/src/ast/sls/sls_euf_plugin.cpp +++ b/src/ast/sls/sls_euf_plugin.cpp @@ -287,34 +287,35 @@ namespace sls { if (m.is_eq(e)) { a = g.find(to_app(e)->get_arg(0)); b = g.find(to_app(e)->get_arg(1)); - } - if (lit.sign() && m.is_eq(e)) { - if (a && b && a->get_root() == b->get_root()) { - IF_VERBOSE(0, verbose_stream() << "not disequal " << lit << " " << mk_pp(e, m) << "\n"); - ctx.display(verbose_stream()); - UNREACHABLE(); + if (lit.sign()) { + if (a && b && a->get_root() == b->get_root()) { + IF_VERBOSE(0, verbose_stream() << "not disequal " << lit << " " << mk_pp(e, m) << "\n"); + ctx.display(verbose_stream()); + UNREACHABLE(); + } + } + else { + if (a && b && a->get_root() != b->get_root()) { + IF_VERBOSE(0, verbose_stream() << "not equal " << lit << " " << mk_pp(e, m) << "\n"); + //UNREACHABLE(); + } } } - else if (!lit.sign() && m.is_eq(e)) { - if (a && b && a->get_root() != b->get_root()) { - IF_VERBOSE(0, verbose_stream() << "not equal " << lit << " " << mk_pp(e, m) << "\n"); - //UNREACHABLE(); - } - } - else if (to_app(e)->get_family_id() != basic_family_id && lit.sign()) { + else if (to_app(e)->get_family_id() != basic_family_id) { auto* ne = g.find(e); - auto* nf = g.find(m.mk_false()); - if (ne && nf && ne->get_root() != nf->get_root()) { - IF_VERBOSE(0, verbose_stream() << "not false " << lit << " " << mk_pp(e, m) << "\n"); - //UNREACHABLE(); + if (lit.sign()) { + auto* nf = g.find(m.mk_false()); + if (ne && nf && ne->get_root() != nf->get_root()) { + IF_VERBOSE(0, verbose_stream() << "not false " << lit << " " << mk_pp(e, m) << "\n"); + //UNREACHABLE(); + } } - } - else if (to_app(e)->get_family_id() != basic_family_id && !lit.sign()) { - auto* ne = g.find(e); - auto* nt = g.find(m.mk_true()); - if (ne && nt && ne->get_root() != nt->get_root()) { - IF_VERBOSE(0, verbose_stream() << "not true " << lit << " " << mk_pp(e, m) << "\n"); - //UNREACHABLE(); + else { + auto* nt = g.find(m.mk_true()); + if (ne && nt && ne->get_root() != nt->get_root()) { + IF_VERBOSE(0, verbose_stream() << "not true " << lit << " " << mk_pp(e, m) << "\n"); + //UNREACHABLE(); + } } } diff --git a/src/math/realclosure/realclosure.cpp b/src/math/realclosure/realclosure.cpp index 8b11e1725..4ba1c11fa 100644 --- a/src/math/realclosure/realclosure.cpp +++ b/src/math/realclosure/realclosure.cpp @@ -3448,16 +3448,21 @@ namespace realclosure { return true; } - unsigned get_sign_condition_size(numeral const &a, unsigned i) { - algebraic * ext = to_algebraic(to_rational_function(a)->ext()); + sign_condition* get_ith_sign_condition(algebraic* ext, unsigned i) { const sign_det * sdt = ext->sdt(); if (!sdt) - return 0; + return nullptr; sign_condition * sc = sdt->sc(ext->sc_idx()); - while (i) { - if (sc) sc = sc->prev(); + while (i && sc) { + sc = sc->prev(); i--; } + return sc; + } + + unsigned get_sign_condition_size(numeral const &a, unsigned i) { + algebraic * ext = to_algebraic(to_rational_function(a)->ext()); + sign_condition * sc = get_ith_sign_condition(ext, i); if (!sc) return 0; return ext->sdt()->qs()[sc->qidx()].size(); @@ -3468,14 +3473,7 @@ namespace realclosure { if (!is_algebraic(a)) return 0; algebraic * ext = to_algebraic(to_rational_function(a)->ext()); - const sign_det * sdt = ext->sdt(); - if (!sdt) - return 0; - sign_condition * sc = sdt->sc(ext->sc_idx()); - while (i) { - if (sc) sc = sc->prev(); - i--; - } + sign_condition * sc = get_ith_sign_condition(ext, i); if (!sc) return 0; const polynomial & q = ext->sdt()->qs()[sc->qidx()]; @@ -3487,14 +3485,7 @@ namespace realclosure { if (!is_algebraic(a)) return numeral(); algebraic * ext = to_algebraic(to_rational_function(a)->ext()); - const sign_det * sdt = ext->sdt(); - if (!sdt) - return numeral(); - sign_condition * sc = sdt->sc(ext->sc_idx()); - while (i) { - if (sc) sc = sc->prev(); - i--; - } + sign_condition * sc = get_ith_sign_condition(ext, i); if (!sc) return numeral(); const polynomial & q = ext->sdt()->qs()[sc->qidx()]; From 240453e452dc0235631369332c97f560df09fe30 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Mar 2026 18:38:06 +0000 Subject: [PATCH 28/29] Initial plan From 175a50330b144ae2524a51738bc02ab796a0c2fd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Mar 2026 18:39:34 +0000 Subject: [PATCH 29/29] Update RELEASE_NOTES.md with additional Version 4.17.0 entries from discussion #8907 Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com> --- RELEASE_NOTES.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 727013284..f0fdb2543 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -21,6 +21,25 @@ Version 4.17.0 Thanks to Nuno Lopes, https://github.com/Z3Prover/z3/pull/8583 - Fix spurious sort error with nested quantifiers in model finder. `Fixes #8563` - NLSAT optimizations including improvements to handle_nullified_poly and levelwise algorithm. Thanks to Lev Nachmanson. +- Add ASan/UBSan memory safety CI workflow for continuous runtime safety checking. Thanks to Angelica Moreira. + https://github.com/Z3Prover/z3/pull/8856 +- Add missing API bindings across multiple languages: + - Python: BvNand, BvNor, BvXnor operations, Optimize.translate() + - Go: MkAsArray, MkRecFuncDecl, AddRecDef, Model.Translate, MkBVRotateLeft, MkBVRotateRight, MkRepeat, and 8 BV overflow/underflow check functions + - TypeScript: Array.fromFunc, Model.translate + - OCaml: Model.translate, mk_re_allchar (thanks to Filipe Marques, https://github.com/Z3Prover/z3/pull/8785) + - Java: as-array method (thanks to Ruijie Fang, https://github.com/Z3Prover/z3/pull/8762) +- Fix #7507: simplify (>= product_of_consecutive_ints 0) to true +- Fix #7951: add cancellation checks to polynomial gcd_prs and HNF computation +- Fix #7677: treat FC_CONTINUE from check_nla as FEASIBLE in maximize +- Fix assertion violation in q_mbi diagnostic output +- Fix memory leaks in model_based_opt def ref-counting +- Fix NoSuchFieldError in JNI for BoolPtr: use Z field descriptor and SetBooleanField +- Fix TypeScript Array.fromFunc to use f.ptr instead of f.ast for Z3_func_decl type +- Fix intblast ubv_to_int bug: add bv2int axioms for compound expressions +- Fix static analysis findings: uninitialized variables, bitwise shift undefined behavior, and null pointer dereferences +- Convert bv1-blast and blast-term-ite tactics to also expose as simplifiers for more flexible integration +- Change default of param lws_subs_witness_disc to true for improved NLSAT performance. Thanks to Lev Nachmanson. Version 4.16.0 ==============