mirrors/z3
3
0
Fork 0
mirror of https://github.com/Z3Prover/z3 synced 2026-01-23 18:44:02 +00:00
Code Activity

Enable automatic std::optional refactoring PRs in Code Conventions Analyzer (#8284)

Browse source 
* Initial plan

* Modify Code Conventions Analyzer to create PRs for std::optional refactoring

Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com>

* Complete Code Conventions Analyzer workflow modification

Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com>

* Fix reference clarity in workflow documentation

Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: NikolajBjorner <3085284+NikolajBjorner@users.noreply.github.com>
This commit is contained in:
Copilot 2026-01-22 10:58:10 -08:00 committed by GitHub
parent d055eea24e
commit d2e0354ce4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 827 additions and 501 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.github/workflows/agentics-maintenance.yml vendored
View file

@ -13,7 +13,7 @@
# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \
# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
#
# This file was automatically generated by pkg/workflow/maintenance_workflow.go (v0.37.2). DO NOT EDIT.
# This file was automatically generated by pkg/workflow/maintenance_workflow.go (v0.37.9). DO NOT EDIT.
#
# To regenerate this workflow, run:
# gh aw compile
@ -46,7 +46,7 @@ jobs:
issues: write
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions

133
.github/workflows/api-coherence-checker.lock.yml generated vendored
View file

@ -13,7 +13,7 @@
# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \
# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
#
# This file was automatically generated by gh-aw (v0.37.2). DO NOT EDIT.
# This file was automatically generated by gh-aw (v0.37.9). DO NOT EDIT.
#
# To update this file, edit the corresponding .md file and run:
# gh aw compile
@ -45,7 +45,7 @@ jobs:
comment_repo: ""
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Check workflow file timestamps
@ -71,7 +71,7 @@ jobs:
GH_AW_ASSETS_BRANCH: ""
GH_AW_ASSETS_MAX_SIZE_KB: 0
GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl
GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl
GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
outputs:
@ -82,7 +82,7 @@ jobs:
secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Create gh-aw temp directory
@ -131,19 +131,7 @@ jobs:
env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Install GitHub Copilot CLI
run: |
# Download official Copilot CLI installer script
curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh
# Execute the installer with the specified version
# Pass VERSION directly to sudo to ensure it's available to the installer script
sudo VERSION=0.0.388 bash /tmp/copilot-install.sh
# Cleanup
rm -f /tmp/copilot-install.sh
# Verify installation
copilot --version
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.389
- name: Install awf binary
run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0
- name: Determine automatic lockdown mode for GitHub MCP server
@ -157,7 +145,7 @@ jobs:
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.29.0 ghcr.io/githubnext/gh-aw-mcpg:v0.0.74 node:lts-alpine
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.29.0 ghcr.io/githubnext/gh-aw-mcpg:v0.0.76 node:lts-alpine
- name: Write Safe Outputs Config
run: |
mkdir -p /opt/gh-aw/safeoutputs
@ -328,10 +316,49 @@ jobs:
}
}
EOF
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
run: |
# Generate a secure random API key (360 bits of entropy, 40+ chars)
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
echo "Safe Outputs MCP server will run on port ${PORT}"
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
run: |
# Environment variables are set above to prevent template injection
export GH_AW_SAFE_OUTPUTS_PORT
export GH_AW_SAFE_OUTPUTS_API_KEY
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
- name: Start MCP gateway
id: start-mcp-gateway
env:
GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
@ -348,7 +375,7 @@ jobs:
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.74'
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.76'
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
@ -365,42 +392,10 @@ jobs:
}
},
"safeoutputs": {
"type": "stdio",
"container": "node:lts-alpine",
"entrypoint": "node",
"entrypointArgs": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"],
"mounts": ["/opt/gh-aw:/opt/gh-aw:ro", "/tmp/gh-aw:/tmp/gh-aw:rw", "${{ github.workspace }}:${{ github.workspace }}:rw"],
"env": {
"GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}",
"GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}",
"GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}",
"GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}",
"GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}",
"GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}",
"GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}",
"GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}",
"GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}",
"GITHUB_SHA": "\${GITHUB_SHA}",
"GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}",
"DEFAULT_BRANCH": "\${DEFAULT_BRANCH}",
"GITHUB_RUN_ID": "\${GITHUB_RUN_ID}",
"GITHUB_RUN_NUMBER": "\${GITHUB_RUN_NUMBER}",
"GITHUB_RUN_ATTEMPT": "\${GITHUB_RUN_ATTEMPT}",
"GITHUB_JOB": "\${GITHUB_JOB}",
"GITHUB_ACTION": "\${GITHUB_ACTION}",
"GITHUB_EVENT_NAME": "\${GITHUB_EVENT_NAME}",
"GITHUB_EVENT_PATH": "\${GITHUB_EVENT_PATH}",
"GITHUB_ACTOR": "\${GITHUB_ACTOR}",
"GITHUB_ACTOR_ID": "\${GITHUB_ACTOR_ID}",
"GITHUB_TRIGGERING_ACTOR": "\${GITHUB_TRIGGERING_ACTOR}",
"GITHUB_WORKFLOW": "\${GITHUB_WORKFLOW}",
"GITHUB_WORKFLOW_REF": "\${GITHUB_WORKFLOW_REF}",
"GITHUB_WORKFLOW_SHA": "\${GITHUB_WORKFLOW_SHA}",
"GITHUB_REF": "\${GITHUB_REF}",
"GITHUB_REF_NAME": "\${GITHUB_REF_NAME}",
"GITHUB_REF_TYPE": "\${GITHUB_REF_TYPE}",
"GITHUB_HEAD_REF": "\${GITHUB_HEAD_REF}",
"GITHUB_BASE_REF": "\${GITHUB_BASE_REF}"
"type": "http",
"url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
"headers": {
"Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
}
},
"serena": {
@ -431,8 +426,8 @@ jobs:
engine_name: "GitHub Copilot CLI",
model: process.env.GH_AW_MODEL_AGENT_COPILOT || "",
version: "",
agent_version: "0.0.388",
cli_version: "v0.37.2",
agent_version: "0.0.389",
cli_version: "v0.37.9",
workflow_name: "API Coherence Checker",
experimental: false,
supports_tools_allowlist: true,
@ -450,7 +445,7 @@ jobs:
allowed_domains: [],
firewall_enabled: true,
awf_version: "v0.10.0",
awmg_version: "v0.0.74",
awmg_version: "v0.0.76",
steps: {
firewall: "squid"
},
@ -955,7 +950,7 @@ jobs:
total_count: ${{ steps.missing_tool.outputs.total_count }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Debug job inputs
@ -1054,7 +1049,7 @@ jobs:
success: ${{ steps.parse_results.outputs.success }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download agent artifacts
@ -1138,19 +1133,7 @@ jobs:
env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Install GitHub Copilot CLI
run: |
# Download official Copilot CLI installer script
curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh
# Execute the installer with the specified version
# Pass VERSION directly to sudo to ensure it's available to the installer script
sudo VERSION=0.0.388 bash /tmp/copilot-install.sh
# Cleanup
rm -f /tmp/copilot-install.sh
# Verify installation
copilot --version
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.389
- name: Execute GitHub Copilot CLI
id: agentic_execution
# Copilot CLI tool arguments (sorted):
@ -1216,7 +1199,7 @@ jobs:
process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download agent output artifact
@ -1253,7 +1236,7 @@ jobs:
permissions: {}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download cache-memory artifact (default)

131
.github/workflows/build-warning-fixer.lock.yml generated vendored
View file

@ -13,7 +13,7 @@
# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \
# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
#
# This file was automatically generated by gh-aw (v0.37.2). DO NOT EDIT.
# This file was automatically generated by gh-aw (v0.37.9). DO NOT EDIT.
#
# To update this file, edit the corresponding .md file and run:
# gh aw compile
@ -45,7 +45,7 @@ jobs:
comment_repo: ""
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Check workflow file timestamps
@ -71,7 +71,7 @@ jobs:
GH_AW_ASSETS_BRANCH: ""
GH_AW_ASSETS_MAX_SIZE_KB: 0
GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl
GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl
GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
outputs:
@ -82,7 +82,7 @@ jobs:
secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Checkout repository
@ -121,19 +121,7 @@ jobs:
env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Install GitHub Copilot CLI
run: |
# Download official Copilot CLI installer script
curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh
# Execute the installer with the specified version
# Pass VERSION directly to sudo to ensure it's available to the installer script
sudo VERSION=0.0.388 bash /tmp/copilot-install.sh
# Cleanup
rm -f /tmp/copilot-install.sh
# Verify installation
copilot --version
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.389
- name: Install awf binary
run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0
- name: Determine automatic lockdown mode for GitHub MCP server
@ -147,7 +135,7 @@ jobs:
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.29.0 ghcr.io/githubnext/gh-aw-mcpg:v0.0.74 node:lts-alpine
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.29.0 ghcr.io/githubnext/gh-aw-mcpg:v0.0.76 node:lts-alpine
- name: Write Safe Outputs Config
run: |
mkdir -p /opt/gh-aw/safeoutputs
@ -328,10 +316,49 @@ jobs:
}
}
EOF
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
run: |
# Generate a secure random API key (360 bits of entropy, 40+ chars)
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
echo "Safe Outputs MCP server will run on port ${PORT}"
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
run: |
# Environment variables are set above to prevent template injection
export GH_AW_SAFE_OUTPUTS_PORT
export GH_AW_SAFE_OUTPUTS_API_KEY
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
- name: Start MCP gateway
id: start-mcp-gateway
env:
GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
@ -348,7 +375,7 @@ jobs:
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.74'
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.76'
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
@ -365,42 +392,10 @@ jobs:
}
},
"safeoutputs": {
"type": "stdio",
"container": "node:lts-alpine",
"entrypoint": "node",
"entrypointArgs": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"],
"mounts": ["/opt/gh-aw:/opt/gh-aw:ro", "/tmp/gh-aw:/tmp/gh-aw:rw", "${{ github.workspace }}:${{ github.workspace }}:rw"],
"env": {
"GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}",
"GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}",
"GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}",
"GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}",
"GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}",
"GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}",
"GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}",
"GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}",
"GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}",
"GITHUB_SHA": "\${GITHUB_SHA}",
"GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}",
"DEFAULT_BRANCH": "\${DEFAULT_BRANCH}",
"GITHUB_RUN_ID": "\${GITHUB_RUN_ID}",
"GITHUB_RUN_NUMBER": "\${GITHUB_RUN_NUMBER}",
"GITHUB_RUN_ATTEMPT": "\${GITHUB_RUN_ATTEMPT}",
"GITHUB_JOB": "\${GITHUB_JOB}",
"GITHUB_ACTION": "\${GITHUB_ACTION}",
"GITHUB_EVENT_NAME": "\${GITHUB_EVENT_NAME}",
"GITHUB_EVENT_PATH": "\${GITHUB_EVENT_PATH}",
"GITHUB_ACTOR": "\${GITHUB_ACTOR}",
"GITHUB_ACTOR_ID": "\${GITHUB_ACTOR_ID}",
"GITHUB_TRIGGERING_ACTOR": "\${GITHUB_TRIGGERING_ACTOR}",
"GITHUB_WORKFLOW": "\${GITHUB_WORKFLOW}",
"GITHUB_WORKFLOW_REF": "\${GITHUB_WORKFLOW_REF}",
"GITHUB_WORKFLOW_SHA": "\${GITHUB_WORKFLOW_SHA}",
"GITHUB_REF": "\${GITHUB_REF}",
"GITHUB_REF_NAME": "\${GITHUB_REF_NAME}",
"GITHUB_REF_TYPE": "\${GITHUB_REF_TYPE}",
"GITHUB_HEAD_REF": "\${GITHUB_HEAD_REF}",
"GITHUB_BASE_REF": "\${GITHUB_BASE_REF}"
"type": "http",
"url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
"headers": {
"Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
}
}
},
@ -423,8 +418,8 @@ jobs:
engine_name: "GitHub Copilot CLI",
model: process.env.GH_AW_MODEL_AGENT_COPILOT || "",
version: "",
agent_version: "0.0.388",
cli_version: "v0.37.2",
agent_version: "0.0.389",
cli_version: "v0.37.9",
workflow_name: "Build Warning Fixer",
experimental: false,
supports_tools_allowlist: true,
@ -442,7 +437,7 @@ jobs:
allowed_domains: [],
firewall_enabled: true,
awf_version: "v0.10.0",
awmg_version: "v0.0.74",
awmg_version: "v0.0.76",
steps: {
firewall: "squid"
},
@ -871,7 +866,7 @@ jobs:
total_count: ${{ steps.missing_tool.outputs.total_count }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Debug job inputs
@ -972,7 +967,7 @@ jobs:
success: ${{ steps.parse_results.outputs.success }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download agent artifacts
@ -1056,19 +1051,7 @@ jobs:
env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Install GitHub Copilot CLI
run: |
# Download official Copilot CLI installer script
curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh
# Execute the installer with the specified version
# Pass VERSION directly to sudo to ensure it's available to the installer script
sudo VERSION=0.0.388 bash /tmp/copilot-install.sh
# Cleanup
rm -f /tmp/copilot-install.sh
# Verify installation
copilot --version
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.389
- name: Execute GitHub Copilot CLI
id: agentic_execution
# Copilot CLI tool arguments (sorted):
@ -1136,7 +1119,7 @@ jobs:
process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download agent output artifact

453
.github/workflows/code-conventions-analyzer.lock.yml generated vendored
View file

@ -13,7 +13,7 @@
# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \
# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
#
# This file was automatically generated by gh-aw (v0.37.2). DO NOT EDIT.
# This file was automatically generated by gh-aw (v0.37.9). DO NOT EDIT.
#
# To update this file, edit the corresponding .md file and run:
# gh aw compile
@ -45,7 +45,7 @@ jobs:
comment_repo: ""
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Check workflow file timestamps
@ -71,7 +71,7 @@ jobs:
GH_AW_ASSETS_BRANCH: ""
GH_AW_ASSETS_MAX_SIZE_KB: 0
GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl
GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl
GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
outputs:
@ -82,7 +82,7 @@ jobs:
secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Checkout repository
@ -132,19 +132,7 @@ jobs:
env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Install GitHub Copilot CLI
run: |
# Download official Copilot CLI installer script
curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh
# Execute the installer with the specified version
# Pass VERSION directly to sudo to ensure it's available to the installer script
sudo VERSION=0.0.388 bash /tmp/copilot-install.sh
# Cleanup
rm -f /tmp/copilot-install.sh
# Verify installation
copilot --version
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.389
- name: Install awf binary
run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0
- name: Determine automatic lockdown mode for GitHub MCP server
@ -158,14 +146,14 @@ jobs:
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.29.0 ghcr.io/githubnext/gh-aw-mcpg:v0.0.74 node:lts-alpine
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.29.0 ghcr.io/githubnext/gh-aw-mcpg:v0.0.76 node:lts-alpine
- name: Write Safe Outputs Config
run: |
mkdir -p /opt/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
cat > /opt/gh-aw/safeoutputs/config.json << 'EOF'
{"create_discussion":{"max":1},"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"missing_data":{},"missing_tool":{},"noop":{"max":1}}
{"create_discussion":{"max":1},"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{},"missing_data":{},"missing_tool":{},"noop":{"max":1}}
EOF
cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF'
[
@ -195,6 +183,39 @@ jobs:
},
"name": "create_discussion"
},
{
"description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[Conventions] \". Labels [code-quality automated] will be automatically added. PRs will be created as drafts.",
"inputSchema": {
"additionalProperties": false,
"properties": {
"body": {
"description": "Detailed PR description in Markdown. Include what changes were made, why, testing notes, and any breaking changes. Do NOT repeat the title as a heading.",
"type": "string"
},
"branch": {
"description": "Source branch name containing the changes. If omitted, uses the current working branch.",
"type": "string"
},
"labels": {
"description": "Labels to categorize the PR (e.g., 'enhancement', 'bugfix'). Labels must exist in the repository.",
"items": {
"type": "string"
},
"type": "array"
},
"title": {
"description": "Concise PR title describing the changes. Follow repository conventions (e.g., conventional commits). The title appears as the main heading.",
"type": "string"
}
},
"required": [
"title",
"body"
],
"type": "object"
},
"name": "create_pull_request"
},
{
"description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.",
"inputSchema": {
@ -294,6 +315,35 @@ jobs:
}
}
},
"create_pull_request": {
"defaultMax": 1,
"fields": {
"body": {
"required": true,
"type": "string",
"sanitize": true,
"maxLength": 65000
},
"branch": {
"required": true,
"type": "string",
"sanitize": true,
"maxLength": 256
},
"labels": {
"type": "array",
"itemType": "string",
"itemSanitize": true,
"itemMaxLength": 128
},
"title": {
"required": true,
"type": "string",
"sanitize": true,
"maxLength": 128
}
}
},
"missing_tool": {
"defaultMax": 20,
"fields": {
@ -329,10 +379,49 @@ jobs:
}
}
EOF
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
run: |
# Generate a secure random API key (360 bits of entropy, 40+ chars)
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
echo "Safe Outputs MCP server will run on port ${PORT}"
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
run: |
# Environment variables are set above to prevent template injection
export GH_AW_SAFE_OUTPUTS_PORT
export GH_AW_SAFE_OUTPUTS_API_KEY
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
- name: Start MCP gateway
id: start-mcp-gateway
env:
GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
@ -349,7 +438,7 @@ jobs:
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.74'
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.76'
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
@ -366,42 +455,10 @@ jobs:
}
},
"safeoutputs": {
"type": "stdio",
"container": "node:lts-alpine",
"entrypoint": "node",
"entrypointArgs": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"],
"mounts": ["/opt/gh-aw:/opt/gh-aw:ro", "/tmp/gh-aw:/tmp/gh-aw:rw", "${{ github.workspace }}:${{ github.workspace }}:rw"],
"env": {
"GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}",
"GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}",
"GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}",
"GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}",
"GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}",
"GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}",
"GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}",
"GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}",
"GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}",
"GITHUB_SHA": "\${GITHUB_SHA}",
"GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}",
"DEFAULT_BRANCH": "\${DEFAULT_BRANCH}",
"GITHUB_RUN_ID": "\${GITHUB_RUN_ID}",
"GITHUB_RUN_NUMBER": "\${GITHUB_RUN_NUMBER}",
"GITHUB_RUN_ATTEMPT": "\${GITHUB_RUN_ATTEMPT}",
"GITHUB_JOB": "\${GITHUB_JOB}",
"GITHUB_ACTION": "\${GITHUB_ACTION}",
"GITHUB_EVENT_NAME": "\${GITHUB_EVENT_NAME}",
"GITHUB_EVENT_PATH": "\${GITHUB_EVENT_PATH}",
"GITHUB_ACTOR": "\${GITHUB_ACTOR}",
"GITHUB_ACTOR_ID": "\${GITHUB_ACTOR_ID}",
"GITHUB_TRIGGERING_ACTOR": "\${GITHUB_TRIGGERING_ACTOR}",
"GITHUB_WORKFLOW": "\${GITHUB_WORKFLOW}",
"GITHUB_WORKFLOW_REF": "\${GITHUB_WORKFLOW_REF}",
"GITHUB_WORKFLOW_SHA": "\${GITHUB_WORKFLOW_SHA}",
"GITHUB_REF": "\${GITHUB_REF}",
"GITHUB_REF_NAME": "\${GITHUB_REF_NAME}",
"GITHUB_REF_TYPE": "\${GITHUB_REF_TYPE}",
"GITHUB_HEAD_REF": "\${GITHUB_HEAD_REF}",
"GITHUB_BASE_REF": "\${GITHUB_BASE_REF}"
"type": "http",
"url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
"headers": {
"Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
}
}
},
@ -424,8 +481,8 @@ jobs:
engine_name: "GitHub Copilot CLI",
model: process.env.GH_AW_MODEL_AGENT_COPILOT || "",
version: "",
agent_version: "0.0.388",
cli_version: "v0.37.2",
agent_version: "0.0.389",
cli_version: "v0.37.9",
workflow_name: "Code Conventions Analyzer",
experimental: false,
supports_tools_allowlist: true,
@ -443,7 +500,7 @@ jobs:
allowed_domains: [],
firewall_enabled: true,
awf_version: "v0.10.0",
awmg_version: "v0.0.74",
awmg_version: "v0.0.76",
steps: {
firewall: "squid"
},
@ -512,7 +569,7 @@ jobs:
<instructions>
To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls.
**Available tools**: create_discussion, missing_tool, noop
**Available tools**: create_discussion, create_pull_request, missing_tool, noop
**Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped.
</instructions>
@ -556,10 +613,143 @@ jobs:
## Your Task
Conduct a comprehensive analysis of the Z3 codebase to identify:
1. **Coding convention inconsistencies** across the codebase
2. **Opportunities to use modern C++ features** that would simplify code
3. **Common patterns** that could be improved or standardized
**PRIMARY FOCUS: Create Pull Requests for std::optional Refactoring**
Your primary task is to identify and **directly implement** refactorings that replace pointer-based optional patterns with `std::optional<T>`. This workflow will:
1. **Find std::optional opportunities** - Functions returning null pointers to indicate absence or using output parameters
2. **Implement the refactoring** - Use the `edit` tool to make actual code changes
3. **Create pull requests** - Automatically create a PR with your changes for std::optional improvements
4. **Create discussions for other findings** - For other code quality issues, create discussions (not PRs)
**Focus Areas for std::optional Refactoring:**
- Functions returning `nullptr` to indicate "no value"
- Functions using output parameters (pointer/reference parameters) to return optional results
- Boolean return + output parameter patterns (e.g., `bool get_value(T* out)`)
- APIs that would benefit from explicit optional semantics
**Secondary Task:**
Additionally, conduct analysis of other coding conventions and modern C++ opportunities for discussion (not immediate implementation)
## Workflow for std::optional Refactoring (PRIMARY)
### Step A: Find std::optional Refactoring Opportunities
1. **Search for common patterns** that should use `std::optional`:
```bash
# Functions returning nullptr to indicate absence
grep pattern: "return nullptr;" glob: "src/**/*.{cpp,h}"
# Boolean return + output parameter patterns
grep pattern: "bool [a-z_]+\(.*\*" glob: "src/**/*.h"
grep pattern: "bool [a-z_]+\(.*&" glob: "src/**/*.h"
# Functions with output parameters
grep pattern: "\([^,]+\*[^,]*\)" glob: "src/**/*.h"
```
2. **Analyze candidates** for refactoring:
- Use `view` to examine the function implementation
- Check if the function is part of the public API or internal
- Verify that the pattern is indeed optional (not always valid)
- Ensure the change would improve code clarity
3. **Select 1-3 high-value targets** per run:
- Prefer internal APIs over public APIs (less breaking)
- Choose functions with clear optional semantics
- Focus on functions with multiple call sites for broader impact
### Step B: Implement the Refactoring
For each selected function:
1. **Update the function signature** in header file:
```cpp
// Before:
bool get_something(T* result);
// or
T* find_something();
// After:
std::optional<T> get_something();
```
2. **Update the function implementation**:
```cpp
// Before:
bool get_something(T* result) {
if (condition) {
*result = value;
return true;
}
return false;
}
// After:
std::optional<T> get_something() {
if (condition) {
return value;
}
return std::nullopt;
}
```
3. **Update all call sites** to use the new API:
```cpp
// Before:
T result;
if (get_something(&result)) {
use(result);
}
// After:
if (auto result = get_something()) {
use(*result);
}
```
4. **Verify the changes**:
- Use `grep` to find any remaining call sites
- Check that the refactoring is complete
- Ensure no compilation errors would occur
### Step C: Create the Pull Request
Use the `output.create-pull-request` tool to create a PR with:
- **Title**: "Refactor [function_name] to use std::optional"
- **Description**:
- Explain what was changed
- Why std::optional is better (type safety, explicit semantics)
- List all modified files
- Note any caveats or considerations
**Example PR description:**
```markdown
# Refactor to use std::optional
This PR refactors the following functions to use `std::optional<T>` instead of pointer-based optional patterns:
- `get_value()` in `src/util/some_file.cpp`
- `find_item()` in `src/ast/another_file.cpp`
## Benefits:
- Explicit optional semantics (no nullptr checks needed)
- Type safety (can't forget to check for absence)
- Modern C++17 idiom
## Changes:
- Updated function signatures to return `std::optional<T>`
- Modified implementations to return `std::nullopt` instead of `nullptr`
- Updated all call sites to use optional idioms
## Testing:
- No functional changes to logic
- All existing call sites updated
```
### Step D: Create Discussion for Other Findings
If you identify other code quality issues (naming, formatting, other C++ features), create a **discussion** (not a PR) with those findings using the existing discussion format from the workflow.
## Step 1: Initialize or Resume Progress (Cache Memory)
@ -636,7 +826,7 @@ jobs:
**C++17 features:**
- Structured bindings for tuple/pair unpacking
- `if constexpr` for compile-time conditionals
- `std::optional` instead of pointer-based optional values
- **`std::optional` instead of pointer-based optional values** - **PRIMARY FOCUS: Implement these changes directly (see "Workflow for std::optional Refactoring" section near the beginning of this document)**
- `std::string_view` for string parameters
- Fold expressions for variadic templates
- `[[nodiscard]]` and `[[maybe_unused]]` attributes
@ -730,9 +920,9 @@ jobs:
- Return value optimization opportunities being blocked
**Optional Value Patterns:**
- Functions returning null + using output parameters
- Replace with `std::optional<T>` return values
- Cleaner API that avoids pointer/reference output parameters
- **PRIMARY TASK**: Functions returning null + using output parameters
- **ACTION**: Replace with `std::optional<T>` return values using the refactoring workflow above
- **RESULT**: Create a pull request with the actual code changes (see "Workflow for std::optional Refactoring")
**Exception String Construction:**
- Using `stringstream` to build exception messages
@ -805,9 +995,18 @@ jobs:
- Prioritize findings by impact and prevalence
- Measure potential size savings for memory layout optimizations
## Deliverable: Detailed Analysis Discussion
## Deliverables
Create a comprehensive discussion with your findings structured as follows:
### PRIMARY: Pull Request for std::optional Refactoring
If you implement std::optional refactoring (following the workflow above), create a pull request using `output.create-pull-request` with:
- Clear title indicating what was refactored
- Description of changes and benefits
- List of modified files and functions
### SECONDARY: Detailed Analysis Discussion
For other code quality findings (non-std::optional), create a comprehensive discussion with your findings structured as follows:
### Discussion Title
"Code Conventions Analysis - [Date] - [Key Finding Summary]"
@ -831,6 +1030,8 @@ jobs:
### Previously Identified Issues - Status Update
**✅ RESOLVED Issues** (since last run):
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
- [List issues from cache that have been resolved, with brief description]
- [Include file references and what changed]
- [Note: Only include if re-verification confirms resolution]
@ -958,8 +1159,6 @@ jobs:
- Recommendation: Keep explicit (required for polymorphism), but ensure `= default` or add comment
- Examples: [File:line references]
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
#### 4.1.3 Non-Virtual Destructor Safety Analysis
- **Classes with Virtual Methods but Non-Virtual Destructors**: Potential polymorphism issues
- Pattern: Class has virtual methods but destructor is not virtual
@ -1034,11 +1233,19 @@ jobs:
- **Incorrect std::move**: [Move from const, unnecessary moves]
- **Return Value Optimization**: [Places where RVO is blocked]
### 4.8 Optional Value Pattern Modernization
- **Current Pattern**: [Functions returning null + output parameters]
- **Modern Pattern**: [std::optional<T> return value opportunities]
- **API Improvements**: [Specific function signatures to update]
- **Examples**: [File:line references with before/after]
### 4.8 Optional Value Pattern Modernization - **IMPLEMENT AS PULL REQUEST**
**This is the PRIMARY focus area - implement these changes directly:**
- **Current Pattern**: Functions returning null + output parameters
- **Modern Pattern**: `std::optional<T>` return value opportunities
- **Action**: Use the "Workflow for std::optional Refactoring" section above to:
1. Find candidate functions
2. Refactor using the `edit` tool
3. Create a pull request with your changes
- **API Improvements**: Specific function signatures to update
- **Examples**: File:line references with before/after code
- **Output**: Pull request (not just discussion)
### 4.9 Exception String Construction
- **Current**: [stringstream usage for building exception messages]
@ -1238,6 +1445,8 @@ jobs:
**Find potential non-virtual destructor safety issues:**
```
PROMPT_EOF
cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
# Classes with virtual functions (candidates to check destructor)
grep pattern: "class\s+[A-Za-z_]+.*\{.*virtual\s+" glob: "src/**/*.h"
@ -1318,16 +1527,26 @@ jobs:
## Security and Safety
- Never execute untrusted code
- Use `bash` only for safe read-only operations (git, grep patterns)
- Don't modify any files (this is an analysis-only workflow)
- Focus on identifying issues, not fixing them (fixes can be done in follow-up PRs)
- Use `bash` only for safe operations (git, grep patterns)
- **For std::optional refactoring**: Use the `edit` tool to modify files directly
- **For other findings**: Create discussions only (no code modifications)
- All code changes for std::optional will be reviewed through the PR process
## Output Requirements
- Create exactly ONE comprehensive discussion with all findings
- Use the structured format above
- Include specific file references for all examples
- Provide actionable recommendations
**Two types of outputs:**
1. **Pull Request** (for std::optional refactoring):
- Use `output.create-pull-request` to create a PR
- Include clear title and description
- List all modified files
- Explain the refactoring and its benefits
2. **Discussion** (for other code quality findings):
- Create exactly ONE comprehensive discussion with all findings
- Use the structured format above
- Include specific file references for all examples
- Provide actionable recommendations
- Previous discussions created by this workflow will be automatically closed (using `close-older-discussions: true`)
PROMPT_EOF
@ -1388,9 +1607,17 @@ jobs:
# --allow-tool shell(clang-format --version)
# --allow-tool shell(date)
# --allow-tool shell(echo)
# --allow-tool shell(git add:*)
# --allow-tool shell(git branch:*)
# --allow-tool shell(git checkout:*)
# --allow-tool shell(git commit:*)
# --allow-tool shell(git diff:*)
# --allow-tool shell(git log:*)
# --allow-tool shell(git merge:*)
# --allow-tool shell(git rm:*)
# --allow-tool shell(git show:*)
# --allow-tool shell(git status)
# --allow-tool shell(git switch:*)
# --allow-tool shell(grep)
# --allow-tool shell(head)
# --allow-tool shell(ls)
@ -1405,7 +1632,7 @@ jobs:
run: |
set -o pipefail
sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.10.0 \
-- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(clang-format --version)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(git diff:*)' --allow-tool 'shell(git log:*)' --allow-tool 'shell(git show:*)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \
-- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(clang-format --version)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(git add:*)' --allow-tool 'shell(git branch:*)' --allow-tool 'shell(git checkout:*)' --allow-tool 'shell(git commit:*)' --allow-tool 'shell(git diff:*)' --allow-tool 'shell(git log:*)' --allow-tool 'shell(git merge:*)' --allow-tool 'shell(git rm:*)' --allow-tool 'shell(git show:*)' --allow-tool 'shell(git status)' --allow-tool 'shell(git switch:*)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \
2>&1 | tee /tmp/gh-aw/agent-stdio.log
env:
COPILOT_AGENT_RUNNER_TYPE: STANDALONE
@ -1544,6 +1771,7 @@ jobs:
/tmp/gh-aw/mcp-logs/
/tmp/gh-aw/sandbox/firewall/logs/
/tmp/gh-aw/agent-stdio.log
/tmp/gh-aw/aw.patch
if-no-files-found: ignore
conclusion:
@ -1566,7 +1794,7 @@ jobs:
total_count: ${{ steps.missing_tool.outputs.total_count }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Debug job inputs
@ -1667,7 +1895,7 @@ jobs:
success: ${{ steps.parse_results.outputs.success }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download agent artifacts
@ -1751,19 +1979,7 @@ jobs:
env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Install GitHub Copilot CLI
run: |
# Download official Copilot CLI installer script
curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh
# Execute the installer with the specified version
# Pass VERSION directly to sudo to ensure it's available to the installer script
sudo VERSION=0.0.388 bash /tmp/copilot-install.sh
# Cleanup
rm -f /tmp/copilot-install.sh
# Verify installation
copilot --version
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.389
- name: Execute GitHub Copilot CLI
id: agentic_execution
# Copilot CLI tool arguments (sorted):
@ -1812,13 +2028,16 @@ jobs:
safe_outputs:
needs:
- activation
- agent
- detection
if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.detection.outputs.success == 'true')
runs-on: ubuntu-slim
permissions:
contents: read
contents: write
discussions: write
issues: write
pull-requests: write
timeout-minutes: 15
env:
GH_AW_ENGINE_ID: "copilot"
@ -1829,7 +2048,7 @@ jobs:
process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download agent output artifact
@ -1843,12 +2062,38 @@ jobs:
mkdir -p /tmp/gh-aw/safeoutputs/
find "/tmp/gh-aw/safeoutputs/" -type f -print
echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
- name: Download patch artifact
continue-on-error: true
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: agent-artifacts
path: /tmp/gh-aw/
- name: Checkout repository
if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request'))
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
token: ${{ github.token }}
persist-credentials: false
fetch-depth: 1
- name: Configure Git credentials
if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request'))
env:
REPO_NAME: ${{ github.repository }}
SERVER_URL: ${{ github.server_url }}
GIT_TOKEN: ${{ github.token }}
run: |
git config --global user.email "github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
# Re-authenticate git with GitHub token
SERVER_URL_STRIPPED="${SERVER_URL#https://}"
git remote set-url origin "https://x-access-token:${GIT_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
echo "Git configured with standard GitHub Actions identity"
- name: Process Safe Outputs
id: process_safe_outputs
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_discussion\":{\"category\":\"Agentic Workflows\",\"close_older_discussions\":true,\"expires\":168,\"max\":1,\"title_prefix\":\"Code Conventions Analysis\"},\"missing_data\":{},\"missing_tool\":{}}"
GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_discussion\":{\"category\":\"Agentic Workflows\",\"close_older_discussions\":true,\"expires\":168,\"max\":1,\"title_prefix\":\"Code Conventions Analysis\"},\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"draft\":true,\"if_no_changes\":\"ignore\",\"labels\":[\"code-quality\",\"automated\"],\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[Conventions] \"},\"missing_data\":{},\"missing_tool\":{}}"
with:
github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
script: |
@ -1866,7 +2111,7 @@ jobs:
permissions: {}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download cache-memory artifact (default)

210
.github/workflows/code-conventions-analyzer.md vendored
View file

@ -10,12 +10,18 @@ tools:
toolsets: [default]
view: {}
glob: {}
edit: {}
bash:
- "clang-format --version"
- "git log:*"
- "git diff:*"
- "git show:*"
safe-outputs:
create-pull-request:
title-prefix: "[Conventions] "
labels: [code-quality, automated]
draft: true
if-no-changes: ignore
create-discussion:
title-prefix: "Code Conventions Analysis"
category: "Agentic Workflows"
@ -32,10 +38,143 @@ You are an expert C++ code quality analyst specializing in the Z3 theorem prover
## Your Task
Conduct a comprehensive analysis of the Z3 codebase to identify:
1. **Coding convention inconsistencies** across the codebase
2. **Opportunities to use modern C++ features** that would simplify code
3. **Common patterns** that could be improved or standardized
**PRIMARY FOCUS: Create Pull Requests for std::optional Refactoring**
Your primary task is to identify and **directly implement** refactorings that replace pointer-based optional patterns with `std::optional<T>`. This workflow will:
1. **Find std::optional opportunities** - Functions returning null pointers to indicate absence or using output parameters
2. **Implement the refactoring** - Use the `edit` tool to make actual code changes
3. **Create pull requests** - Automatically create a PR with your changes for std::optional improvements
4. **Create discussions for other findings** - For other code quality issues, create discussions (not PRs)
**Focus Areas for std::optional Refactoring:**
- Functions returning `nullptr` to indicate "no value"
- Functions using output parameters (pointer/reference parameters) to return optional results
- Boolean return + output parameter patterns (e.g., `bool get_value(T* out)`)
- APIs that would benefit from explicit optional semantics
**Secondary Task:**
Additionally, conduct analysis of other coding conventions and modern C++ opportunities for discussion (not immediate implementation)
## Workflow for std::optional Refactoring (PRIMARY)
### Step A: Find std::optional Refactoring Opportunities
1. **Search for common patterns** that should use `std::optional`:
```bash
# Functions returning nullptr to indicate absence
grep pattern: "return nullptr;" glob: "src/**/*.{cpp,h}"
# Boolean return + output parameter patterns
grep pattern: "bool [a-z_]+\(.*\*" glob: "src/**/*.h"
grep pattern: "bool [a-z_]+\(.*&" glob: "src/**/*.h"
# Functions with output parameters
grep pattern: "\([^,]+\*[^,]*\)" glob: "src/**/*.h"
```
2. **Analyze candidates** for refactoring:
- Use `view` to examine the function implementation
- Check if the function is part of the public API or internal
- Verify that the pattern is indeed optional (not always valid)
- Ensure the change would improve code clarity
3. **Select 1-3 high-value targets** per run:
- Prefer internal APIs over public APIs (less breaking)
- Choose functions with clear optional semantics
- Focus on functions with multiple call sites for broader impact
### Step B: Implement the Refactoring
For each selected function:
1. **Update the function signature** in header file:
```cpp
// Before:
bool get_something(T* result);
// or
T* find_something();
// After:
std::optional<T> get_something();
```
2. **Update the function implementation**:
```cpp
// Before:
bool get_something(T* result) {
if (condition) {
*result = value;
return true;
}
return false;
}
// After:
std::optional<T> get_something() {
if (condition) {
return value;
}
return std::nullopt;
}
```
3. **Update all call sites** to use the new API:
```cpp
// Before:
T result;
if (get_something(&result)) {
use(result);
}
// After:
if (auto result = get_something()) {
use(*result);
}
```
4. **Verify the changes**:
- Use `grep` to find any remaining call sites
- Check that the refactoring is complete
- Ensure no compilation errors would occur
### Step C: Create the Pull Request
Use the `output.create-pull-request` tool to create a PR with:
- **Title**: "Refactor [function_name] to use std::optional"
- **Description**:
- Explain what was changed
- Why std::optional is better (type safety, explicit semantics)
- List all modified files
- Note any caveats or considerations
**Example PR description:**
```markdown
# Refactor to use std::optional
This PR refactors the following functions to use `std::optional<T>` instead of pointer-based optional patterns:
- `get_value()` in `src/util/some_file.cpp`
- `find_item()` in `src/ast/another_file.cpp`
## Benefits:
- Explicit optional semantics (no nullptr checks needed)
- Type safety (can't forget to check for absence)
- Modern C++17 idiom
## Changes:
- Updated function signatures to return `std::optional<T>`
- Modified implementations to return `std::nullopt` instead of `nullptr`
- Updated all call sites to use optional idioms
## Testing:
- No functional changes to logic
- All existing call sites updated
```
### Step D: Create Discussion for Other Findings
If you identify other code quality issues (naming, formatting, other C++ features), create a **discussion** (not a PR) with those findings using the existing discussion format from the workflow.
## Step 1: Initialize or Resume Progress (Cache Memory)
@ -112,7 +251,7 @@ Z3 uses C++20 (as specified in `.clang-format`). Look for opportunities to use:
**C++17 features:**
- Structured bindings for tuple/pair unpacking
- `if constexpr` for compile-time conditionals
- `std::optional` instead of pointer-based optional values
- **`std::optional` instead of pointer-based optional values** - **PRIMARY FOCUS: Implement these changes directly (see "Workflow for std::optional Refactoring" section near the beginning of this document)**
- `std::string_view` for string parameters
- Fold expressions for variadic templates
- `[[nodiscard]]` and `[[maybe_unused]]` attributes
@ -206,9 +345,9 @@ Identify opportunities specific to Z3's architecture and coding patterns:
- Return value optimization opportunities being blocked
**Optional Value Patterns:**
- Functions returning null + using output parameters
- Replace with `std::optional<T>` return values
- Cleaner API that avoids pointer/reference output parameters
- **PRIMARY TASK**: Functions returning null + using output parameters
- **ACTION**: Replace with `std::optional<T>` return values using the refactoring workflow above
- **RESULT**: Create a pull request with the actual code changes (see "Workflow for std::optional Refactoring")
**Exception String Construction:**
- Using `stringstream` to build exception messages
@ -281,9 +420,18 @@ Identify opportunities specific to Z3's architecture and coding patterns:
- Prioritize findings by impact and prevalence
- Measure potential size savings for memory layout optimizations
## Deliverable: Detailed Analysis Discussion
## Deliverables
Create a comprehensive discussion with your findings structured as follows:
### PRIMARY: Pull Request for std::optional Refactoring
If you implement std::optional refactoring (following the workflow above), create a pull request using `output.create-pull-request` with:
- Clear title indicating what was refactored
- Description of changes and benefits
- List of modified files and functions
### SECONDARY: Detailed Analysis Discussion
For other code quality findings (non-std::optional), create a comprehensive discussion with your findings structured as follows:
### Discussion Title
"Code Conventions Analysis - [Date] - [Key Finding Summary]"
@ -508,11 +656,19 @@ For each opportunity, provide:
- **Incorrect std::move**: [Move from const, unnecessary moves]
- **Return Value Optimization**: [Places where RVO is blocked]
### 4.8 Optional Value Pattern Modernization
- **Current Pattern**: [Functions returning null + output parameters]
- **Modern Pattern**: [std::optional<T> return value opportunities]
- **API Improvements**: [Specific function signatures to update]
- **Examples**: [File:line references with before/after]
### 4.8 Optional Value Pattern Modernization - **IMPLEMENT AS PULL REQUEST**
**This is the PRIMARY focus area - implement these changes directly:**
- **Current Pattern**: Functions returning null + output parameters
- **Modern Pattern**: `std::optional<T>` return value opportunities
- **Action**: Use the "Workflow for std::optional Refactoring" section above to:
1. Find candidate functions
2. Refactor using the `edit` tool
3. Create a pull request with your changes
- **API Improvements**: Specific function signatures to update
- **Examples**: File:line references with before/after code
- **Output**: Pull request (not just discussion)
### 4.9 Exception String Construction
- **Current**: [stringstream usage for building exception messages]
@ -792,14 +948,24 @@ grep pattern: "catch.*continue|catch.*break" glob: "src/**/*.cpp"
## Security and Safety
- Never execute untrusted code
- Use `bash` only for safe read-only operations (git, grep patterns)
- Don't modify any files (this is an analysis-only workflow)
- Focus on identifying issues, not fixing them (fixes can be done in follow-up PRs)
- Use `bash` only for safe operations (git, grep patterns)
- **For std::optional refactoring**: Use the `edit` tool to modify files directly
- **For other findings**: Create discussions only (no code modifications)
- All code changes for std::optional will be reviewed through the PR process
## Output Requirements
- Create exactly ONE comprehensive discussion with all findings
- Use the structured format above
- Include specific file references for all examples
- Provide actionable recommendations
**Two types of outputs:**
1. **Pull Request** (for std::optional refactoring):
- Use `output.create-pull-request` to create a PR
- Include clear title and description
- List all modified files
- Explain the refactoring and its benefits
2. **Discussion** (for other code quality findings):
- Create exactly ONE comprehensive discussion with all findings
- Use the structured format above
- Include specific file references for all examples
- Provide actionable recommendations
- Previous discussions created by this workflow will be automatically closed (using `close-older-discussions: true`)

131
.github/workflows/release-notes-updater.lock.yml generated vendored
View file

@ -13,7 +13,7 @@
# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \
# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
#
# This file was automatically generated by gh-aw (v0.37.2). DO NOT EDIT.
# This file was automatically generated by gh-aw (v0.37.9). DO NOT EDIT.
#
# To update this file, edit the corresponding .md file and run:
# gh aw compile
@ -45,7 +45,7 @@ jobs:
comment_repo: ""
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Check workflow file timestamps
@ -71,7 +71,7 @@ jobs:
GH_AW_ASSETS_BRANCH: ""
GH_AW_ASSETS_MAX_SIZE_KB: 0
GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl
GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl
GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
outputs:
@ -82,7 +82,7 @@ jobs:
secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Create gh-aw temp directory
@ -122,19 +122,7 @@ jobs:
env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Install GitHub Copilot CLI
run: |
# Download official Copilot CLI installer script
curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh
# Execute the installer with the specified version
# Pass VERSION directly to sudo to ensure it's available to the installer script
sudo VERSION=0.0.388 bash /tmp/copilot-install.sh
# Cleanup
rm -f /tmp/copilot-install.sh
# Verify installation
copilot --version
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.389
- name: Install awf binary
run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0
- name: Determine automatic lockdown mode for GitHub MCP server
@ -148,7 +136,7 @@ jobs:
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.29.0 ghcr.io/githubnext/gh-aw-mcpg:v0.0.74 node:lts-alpine
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.29.0 ghcr.io/githubnext/gh-aw-mcpg:v0.0.76 node:lts-alpine
- name: Write Safe Outputs Config
run: |
mkdir -p /opt/gh-aw/safeoutputs
@ -319,10 +307,49 @@ jobs:
}
}
EOF
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
run: |
# Generate a secure random API key (360 bits of entropy, 40+ chars)
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
echo "Safe Outputs MCP server will run on port ${PORT}"
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
run: |
# Environment variables are set above to prevent template injection
export GH_AW_SAFE_OUTPUTS_PORT
export GH_AW_SAFE_OUTPUTS_API_KEY
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
- name: Start MCP gateway
id: start-mcp-gateway
env:
GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
@ -339,7 +366,7 @@ jobs:
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.74'
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.76'
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
@ -356,42 +383,10 @@ jobs:
}
},
"safeoutputs": {
"type": "stdio",
"container": "node:lts-alpine",
"entrypoint": "node",
"entrypointArgs": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"],
"mounts": ["/opt/gh-aw:/opt/gh-aw:ro", "/tmp/gh-aw:/tmp/gh-aw:rw", "${{ github.workspace }}:${{ github.workspace }}:rw"],
"env": {
"GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}",
"GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}",
"GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}",
"GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}",
"GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}",
"GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}",
"GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}",
"GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}",
"GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}",
"GITHUB_SHA": "\${GITHUB_SHA}",
"GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}",
"DEFAULT_BRANCH": "\${DEFAULT_BRANCH}",
"GITHUB_RUN_ID": "\${GITHUB_RUN_ID}",
"GITHUB_RUN_NUMBER": "\${GITHUB_RUN_NUMBER}",
"GITHUB_RUN_ATTEMPT": "\${GITHUB_RUN_ATTEMPT}",
"GITHUB_JOB": "\${GITHUB_JOB}",
"GITHUB_ACTION": "\${GITHUB_ACTION}",
"GITHUB_EVENT_NAME": "\${GITHUB_EVENT_NAME}",
"GITHUB_EVENT_PATH": "\${GITHUB_EVENT_PATH}",
"GITHUB_ACTOR": "\${GITHUB_ACTOR}",
"GITHUB_ACTOR_ID": "\${GITHUB_ACTOR_ID}",
"GITHUB_TRIGGERING_ACTOR": "\${GITHUB_TRIGGERING_ACTOR}",
"GITHUB_WORKFLOW": "\${GITHUB_WORKFLOW}",
"GITHUB_WORKFLOW_REF": "\${GITHUB_WORKFLOW_REF}",
"GITHUB_WORKFLOW_SHA": "\${GITHUB_WORKFLOW_SHA}",
"GITHUB_REF": "\${GITHUB_REF}",
"GITHUB_REF_NAME": "\${GITHUB_REF_NAME}",
"GITHUB_REF_TYPE": "\${GITHUB_REF_TYPE}",
"GITHUB_HEAD_REF": "\${GITHUB_HEAD_REF}",
"GITHUB_BASE_REF": "\${GITHUB_BASE_REF}"
"type": "http",
"url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
"headers": {
"Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
}
}
},
@ -414,8 +409,8 @@ jobs:
engine_name: "GitHub Copilot CLI",
model: process.env.GH_AW_MODEL_AGENT_COPILOT || "",
version: "",
agent_version: "0.0.388",
cli_version: "v0.37.2",
agent_version: "0.0.389",
cli_version: "v0.37.9",
workflow_name: "Release Notes Updater",
experimental: false,
supports_tools_allowlist: true,
@ -433,7 +428,7 @@ jobs:
allowed_domains: [],
firewall_enabled: true,
awf_version: "v0.10.0",
awmg_version: "v0.0.74",
awmg_version: "v0.0.76",
steps: {
firewall: "squid"
},
@ -918,7 +913,7 @@ jobs:
total_count: ${{ steps.missing_tool.outputs.total_count }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Debug job inputs
@ -1017,7 +1012,7 @@ jobs:
success: ${{ steps.parse_results.outputs.success }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download agent artifacts
@ -1101,19 +1096,7 @@ jobs:
env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Install GitHub Copilot CLI
run: |
# Download official Copilot CLI installer script
curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh
# Execute the installer with the specified version
# Pass VERSION directly to sudo to ensure it's available to the installer script
sudo VERSION=0.0.388 bash /tmp/copilot-install.sh
# Cleanup
rm -f /tmp/copilot-install.sh
# Verify installation
copilot --version
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.389
- name: Execute GitHub Copilot CLI
id: agentic_execution
# Copilot CLI tool arguments (sorted):
@ -1179,7 +1162,7 @@ jobs:
process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download agent output artifact

133
.github/workflows/soundness-bug-detector.lock.yml generated vendored
View file

@ -13,7 +13,7 @@
# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \
# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
#
# This file was automatically generated by gh-aw (v0.37.2). DO NOT EDIT.
# This file was automatically generated by gh-aw (v0.37.9). DO NOT EDIT.
#
# To update this file, edit the corresponding .md file and run:
# gh aw compile
@ -49,7 +49,7 @@ jobs:
comment_repo: ""
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Check workflow file timestamps
@ -73,7 +73,7 @@ jobs:
GH_AW_ASSETS_BRANCH: ""
GH_AW_ASSETS_MAX_SIZE_KB: 0
GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl
GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl
GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
outputs:
@ -84,7 +84,7 @@ jobs:
secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Create gh-aw temp directory
@ -133,19 +133,7 @@ jobs:
env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Install GitHub Copilot CLI
run: |
# Download official Copilot CLI installer script
curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh
# Execute the installer with the specified version
# Pass VERSION directly to sudo to ensure it's available to the installer script
sudo VERSION=0.0.388 bash /tmp/copilot-install.sh
# Cleanup
rm -f /tmp/copilot-install.sh
# Verify installation
copilot --version
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.389
- name: Install awf binary
run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0
- name: Determine automatic lockdown mode for GitHub MCP server
@ -159,7 +147,7 @@ jobs:
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.29.0 ghcr.io/githubnext/gh-aw-mcpg:v0.0.74 node:lts-alpine
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.29.0 ghcr.io/githubnext/gh-aw-mcpg:v0.0.76 node:lts-alpine
- name: Write Safe Outputs Config
run: |
mkdir -p /opt/gh-aw/safeoutputs
@ -365,10 +353,49 @@ jobs:
}
}
EOF
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
run: |
# Generate a secure random API key (360 bits of entropy, 40+ chars)
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
echo "Safe Outputs MCP server will run on port ${PORT}"
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
run: |
# Environment variables are set above to prevent template injection
export GH_AW_SAFE_OUTPUTS_PORT
export GH_AW_SAFE_OUTPUTS_API_KEY
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
- name: Start MCP gateway
id: start-mcp-gateway
env:
GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
@ -385,7 +412,7 @@ jobs:
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.74'
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.76'
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
@ -402,42 +429,10 @@ jobs:
}
},
"safeoutputs": {
"type": "stdio",
"container": "node:lts-alpine",
"entrypoint": "node",
"entrypointArgs": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"],
"mounts": ["/opt/gh-aw:/opt/gh-aw:ro", "/tmp/gh-aw:/tmp/gh-aw:rw", "${{ github.workspace }}:${{ github.workspace }}:rw"],
"env": {
"GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}",
"GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}",
"GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}",
"GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}",
"GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}",
"GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}",
"GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}",
"GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}",
"GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}",
"GITHUB_SHA": "\${GITHUB_SHA}",
"GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}",
"DEFAULT_BRANCH": "\${DEFAULT_BRANCH}",
"GITHUB_RUN_ID": "\${GITHUB_RUN_ID}",
"GITHUB_RUN_NUMBER": "\${GITHUB_RUN_NUMBER}",
"GITHUB_RUN_ATTEMPT": "\${GITHUB_RUN_ATTEMPT}",
"GITHUB_JOB": "\${GITHUB_JOB}",
"GITHUB_ACTION": "\${GITHUB_ACTION}",
"GITHUB_EVENT_NAME": "\${GITHUB_EVENT_NAME}",
"GITHUB_EVENT_PATH": "\${GITHUB_EVENT_PATH}",
"GITHUB_ACTOR": "\${GITHUB_ACTOR}",
"GITHUB_ACTOR_ID": "\${GITHUB_ACTOR_ID}",
"GITHUB_TRIGGERING_ACTOR": "\${GITHUB_TRIGGERING_ACTOR}",
"GITHUB_WORKFLOW": "\${GITHUB_WORKFLOW}",
"GITHUB_WORKFLOW_REF": "\${GITHUB_WORKFLOW_REF}",
"GITHUB_WORKFLOW_SHA": "\${GITHUB_WORKFLOW_SHA}",
"GITHUB_REF": "\${GITHUB_REF}",
"GITHUB_REF_NAME": "\${GITHUB_REF_NAME}",
"GITHUB_REF_TYPE": "\${GITHUB_REF_TYPE}",
"GITHUB_HEAD_REF": "\${GITHUB_HEAD_REF}",
"GITHUB_BASE_REF": "\${GITHUB_BASE_REF}"
"type": "http",
"url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
"headers": {
"Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
}
}
},
@ -460,8 +455,8 @@ jobs:
engine_name: "GitHub Copilot CLI",
model: process.env.GH_AW_MODEL_AGENT_COPILOT || "",
version: "",
agent_version: "0.0.388",
cli_version: "v0.37.2",
agent_version: "0.0.389",
cli_version: "v0.37.9",
workflow_name: "Soundness Bug Detector",
experimental: false,
supports_tools_allowlist: true,
@ -479,7 +474,7 @@ jobs:
allowed_domains: [],
firewall_enabled: true,
awf_version: "v0.10.0",
awmg_version: "v0.0.74",
awmg_version: "v0.0.76",
steps: {
firewall: "squid"
},
@ -806,7 +801,7 @@ jobs:
total_count: ${{ steps.missing_tool.outputs.total_count }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Debug job inputs
@ -905,7 +900,7 @@ jobs:
success: ${{ steps.parse_results.outputs.success }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download agent artifacts
@ -989,19 +984,7 @@ jobs:
env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Install GitHub Copilot CLI
run: |
# Download official Copilot CLI installer script
curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh
# Execute the installer with the specified version
# Pass VERSION directly to sudo to ensure it's available to the installer script
sudo VERSION=0.0.388 bash /tmp/copilot-install.sh
# Cleanup
rm -f /tmp/copilot-install.sh
# Verify installation
copilot --version
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.389
- name: Execute GitHub Copilot CLI
id: agentic_execution
# Copilot CLI tool arguments (sorted):
@ -1069,7 +1052,7 @@ jobs:
process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download agent output artifact
@ -1106,7 +1089,7 @@ jobs:
permissions: {}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download cache-memory artifact (default)

133
.github/workflows/workflow-suggestion-agent.lock.yml generated vendored
View file

@ -13,7 +13,7 @@
# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \
# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
#
# This file was automatically generated by gh-aw (v0.37.2). DO NOT EDIT.
# This file was automatically generated by gh-aw (v0.37.9). DO NOT EDIT.
#
# To update this file, edit the corresponding .md file and run:
# gh aw compile
@ -45,7 +45,7 @@ jobs:
comment_repo: ""
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Check workflow file timestamps
@ -71,7 +71,7 @@ jobs:
GH_AW_ASSETS_BRANCH: ""
GH_AW_ASSETS_MAX_SIZE_KB: 0
GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl
GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl
GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
outputs:
@ -82,7 +82,7 @@ jobs:
secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Create gh-aw temp directory
@ -131,19 +131,7 @@ jobs:
env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Install GitHub Copilot CLI
run: |
# Download official Copilot CLI installer script
curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh
# Execute the installer with the specified version
# Pass VERSION directly to sudo to ensure it's available to the installer script
sudo VERSION=0.0.388 bash /tmp/copilot-install.sh
# Cleanup
rm -f /tmp/copilot-install.sh
# Verify installation
copilot --version
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.389
- name: Install awf binary
run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0
- name: Determine automatic lockdown mode for GitHub MCP server
@ -157,7 +145,7 @@ jobs:
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.29.0 ghcr.io/githubnext/gh-aw-mcpg:v0.0.74 node:lts-alpine
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.29.0 ghcr.io/githubnext/gh-aw-mcpg:v0.0.76 node:lts-alpine
- name: Write Safe Outputs Config
run: |
mkdir -p /opt/gh-aw/safeoutputs
@ -328,10 +316,49 @@ jobs:
}
}
EOF
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
run: |
# Generate a secure random API key (360 bits of entropy, 40+ chars)
API_KEY=""
API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
PORT=3001
# Register API key as secret to mask it from logs
echo "::add-mask::${API_KEY}"
# Set outputs for next steps
{
echo "safe_outputs_api_key=${API_KEY}"
echo "safe_outputs_port=${PORT}"
} >> "$GITHUB_OUTPUT"
echo "Safe Outputs MCP server will run on port ${PORT}"
- name: Start Safe Outputs MCP HTTP Server
id: safe-outputs-start
env:
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
run: |
# Environment variables are set above to prevent template injection
export GH_AW_SAFE_OUTPUTS_PORT
export GH_AW_SAFE_OUTPUTS_API_KEY
export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
export GH_AW_MCP_LOG_DIR
bash /opt/gh-aw/actions/start_safe_outputs_server.sh
- name: Start MCP gateway
id: start-mcp-gateway
env:
GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
run: |
@ -348,7 +375,7 @@ jobs:
# Register API key as secret to mask it from logs
echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.74'
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.76'
mkdir -p /home/runner/.copilot
cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
@ -365,42 +392,10 @@ jobs:
}
},
"safeoutputs": {
"type": "stdio",
"container": "node:lts-alpine",
"entrypoint": "node",
"entrypointArgs": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"],
"mounts": ["/opt/gh-aw:/opt/gh-aw:ro", "/tmp/gh-aw:/tmp/gh-aw:rw", "${{ github.workspace }}:${{ github.workspace }}:rw"],
"env": {
"GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}",
"GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}",
"GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}",
"GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}",
"GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}",
"GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}",
"GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}",
"GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}",
"GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}",
"GITHUB_SHA": "\${GITHUB_SHA}",
"GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}",
"DEFAULT_BRANCH": "\${DEFAULT_BRANCH}",
"GITHUB_RUN_ID": "\${GITHUB_RUN_ID}",
"GITHUB_RUN_NUMBER": "\${GITHUB_RUN_NUMBER}",
"GITHUB_RUN_ATTEMPT": "\${GITHUB_RUN_ATTEMPT}",
"GITHUB_JOB": "\${GITHUB_JOB}",
"GITHUB_ACTION": "\${GITHUB_ACTION}",
"GITHUB_EVENT_NAME": "\${GITHUB_EVENT_NAME}",
"GITHUB_EVENT_PATH": "\${GITHUB_EVENT_PATH}",
"GITHUB_ACTOR": "\${GITHUB_ACTOR}",
"GITHUB_ACTOR_ID": "\${GITHUB_ACTOR_ID}",
"GITHUB_TRIGGERING_ACTOR": "\${GITHUB_TRIGGERING_ACTOR}",
"GITHUB_WORKFLOW": "\${GITHUB_WORKFLOW}",
"GITHUB_WORKFLOW_REF": "\${GITHUB_WORKFLOW_REF}",
"GITHUB_WORKFLOW_SHA": "\${GITHUB_WORKFLOW_SHA}",
"GITHUB_REF": "\${GITHUB_REF}",
"GITHUB_REF_NAME": "\${GITHUB_REF_NAME}",
"GITHUB_REF_TYPE": "\${GITHUB_REF_TYPE}",
"GITHUB_HEAD_REF": "\${GITHUB_HEAD_REF}",
"GITHUB_BASE_REF": "\${GITHUB_BASE_REF}"
"type": "http",
"url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
"headers": {
"Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
}
},
"serena": {
@ -431,8 +426,8 @@ jobs:
engine_name: "GitHub Copilot CLI",
model: process.env.GH_AW_MODEL_AGENT_COPILOT || "",
version: "",
agent_version: "0.0.388",
cli_version: "v0.37.2",
agent_version: "0.0.389",
cli_version: "v0.37.9",
workflow_name: "Workflow Suggestion Agent",
experimental: false,
supports_tools_allowlist: true,
@ -450,7 +445,7 @@ jobs:
allowed_domains: [],
firewall_enabled: true,
awf_version: "v0.10.0",
awmg_version: "v0.0.74",
awmg_version: "v0.0.76",
steps: {
firewall: "squid"
},
@ -1128,7 +1123,7 @@ jobs:
total_count: ${{ steps.missing_tool.outputs.total_count }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Debug job inputs
@ -1227,7 +1222,7 @@ jobs:
success: ${{ steps.parse_results.outputs.success }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download agent artifacts
@ -1311,19 +1306,7 @@ jobs:
env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Install GitHub Copilot CLI
run: |
# Download official Copilot CLI installer script
curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh
# Execute the installer with the specified version
# Pass VERSION directly to sudo to ensure it's available to the installer script
sudo VERSION=0.0.388 bash /tmp/copilot-install.sh
# Cleanup
rm -f /tmp/copilot-install.sh
# Verify installation
copilot --version
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.389
- name: Execute GitHub Copilot CLI
id: agentic_execution
# Copilot CLI tool arguments (sorted):
@ -1389,7 +1372,7 @@ jobs:
process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download agent output artifact
@ -1426,7 +1409,7 @@ jobs:
permissions: {}
steps:
- name: Setup Scripts
uses: githubnext/gh-aw/actions/setup@v0.37.2
uses: githubnext/gh-aw/actions/setup@v0.37.9
with:
destination: /opt/gh-aw/actions
- name: Download cache-memory artifact (default)