mirrors/z3
3
0
Fork 0
mirror of https://github.com/Z3Prover/z3 synced 2026-04-30 23:53:44 +00:00
Code Activity

revert to last working flows

Browse source 
Signed-off-by: Nikolaj Bjorner <nbjorner@microsoft.com>
This commit is contained in:
Nikolaj Bjorner 2026-02-16 09:29:10 -08:00
parent e87cf5ad2b
commit e553ee2110
4 changed files with 81 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

29
.github/workflows/a3-python-v2.lock.yml generated vendored
View file

@ -15,7 +15,7 @@
# #
# This file was automatically generated by gh-aw (v0.45.0). DO NOT EDIT. # This file was automatically generated by gh-aw (v0.45.0). DO NOT EDIT.
# #
# To update this file, edit the corresponding .md file and run: # To update this file, edit z3prover/z3/a3/a3-python-v2.md@a91c5c58bd975f336bf5b744885ffd4b36b2d2ec and run:
# gh aw compile # gh aw compile
# Not all edits will cause changes to this file. # Not all edits will cause changes to this file.
# #
@ -23,7 +23,9 @@
# #
# Analyzes Python code using a3-python tool to identify bugs and issues # Analyzes Python code using a3-python tool to identify bugs and issues
# #
# frontmatter-hash: 5cf7ccf6678127541919747c71a65386e7e5be18f41536192360a52b167f4bab # Source: z3prover/z3/a3/a3-python-v2.md@a91c5c58bd975f336bf5b744885ffd4b36b2d2ec
#
# frontmatter-hash: 6a163b563f48c49e7175c12b912c964159de824a41be9e75f50e3afd4408b000
name: "A3 Python Code Analysis" name: "A3 Python Code Analysis"
"on": "on":
@ -48,7 +50,7 @@ jobs:
comment_repo: "" comment_repo: ""
steps: steps:
- name: Setup Scripts - name: Setup Scripts
uses: github/gh-aw/actions/setup@v0.45.0 uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
with: with:
destination: /opt/gh-aw/actions destination: /opt/gh-aw/actions
- name: Check workflow file timestamps - name: Check workflow file timestamps
@ -90,7 +92,7 @@ jobs:
secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
steps: steps:
- name: Setup Scripts - name: Setup Scripts
uses: github/gh-aw/actions/setup@v0.45.0 uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
with: with:
destination: /opt/gh-aw/actions destination: /opt/gh-aw/actions
- name: Checkout repository - name: Checkout repository
@ -101,8 +103,7 @@ jobs:
run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
- name: Checkout Python source files - name: Checkout Python source files
run: |- run: |-
git sparse-checkout init --cone git sparse-checkout add src
git sparse-checkout set src
echo "Source files checked out for Python analysis" echo "Source files checked out for Python analysis"
- name: Configure Git credentials - name: Configure Git credentials
@ -798,7 +799,7 @@ jobs:
total_count: ${{ steps.missing_tool.outputs.total_count }} total_count: ${{ steps.missing_tool.outputs.total_count }}
steps: steps:
- name: Setup Scripts - name: Setup Scripts
uses: github/gh-aw/actions/setup@v0.45.0 uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
with: with:
destination: /opt/gh-aw/actions destination: /opt/gh-aw/actions
- name: Download agent output artifact - name: Download agent output artifact
@ -819,6 +820,8 @@ jobs:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
GH_AW_NOOP_MAX: 1 GH_AW_NOOP_MAX: 1
GH_AW_WORKFLOW_NAME: "A3 Python Code Analysis" GH_AW_WORKFLOW_NAME: "A3 Python Code Analysis"
GH_AW_WORKFLOW_SOURCE: "z3prover/z3/a3/a3-python-v2.md@a91c5c58bd975f336bf5b744885ffd4b36b2d2ec"
GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/z3prover/z3/tree/a91c5c58bd975f336bf5b744885ffd4b36b2d2ec/a3/a3-python-v2.md"
GH_AW_TRACKER_ID: "a3-python-analysis" GH_AW_TRACKER_ID: "a3-python-analysis"
with: with:
github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
@ -833,6 +836,8 @@ jobs:
env: env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
GH_AW_WORKFLOW_NAME: "A3 Python Code Analysis" GH_AW_WORKFLOW_NAME: "A3 Python Code Analysis"
GH_AW_WORKFLOW_SOURCE: "z3prover/z3/a3/a3-python-v2.md@a91c5c58bd975f336bf5b744885ffd4b36b2d2ec"
GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/z3prover/z3/tree/a91c5c58bd975f336bf5b744885ffd4b36b2d2ec/a3/a3-python-v2.md"
GH_AW_TRACKER_ID: "a3-python-analysis" GH_AW_TRACKER_ID: "a3-python-analysis"
with: with:
github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
@ -847,6 +852,8 @@ jobs:
env: env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
GH_AW_WORKFLOW_NAME: "A3 Python Code Analysis" GH_AW_WORKFLOW_NAME: "A3 Python Code Analysis"
GH_AW_WORKFLOW_SOURCE: "z3prover/z3/a3/a3-python-v2.md@a91c5c58bd975f336bf5b744885ffd4b36b2d2ec"
GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/z3prover/z3/tree/a91c5c58bd975f336bf5b744885ffd4b36b2d2ec/a3/a3-python-v2.md"
GH_AW_TRACKER_ID: "a3-python-analysis" GH_AW_TRACKER_ID: "a3-python-analysis"
GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
@ -866,6 +873,8 @@ jobs:
env: env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
GH_AW_WORKFLOW_NAME: "A3 Python Code Analysis" GH_AW_WORKFLOW_NAME: "A3 Python Code Analysis"
GH_AW_WORKFLOW_SOURCE: "z3prover/z3/a3/a3-python-v2.md@a91c5c58bd975f336bf5b744885ffd4b36b2d2ec"
GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/z3prover/z3/tree/a91c5c58bd975f336bf5b744885ffd4b36b2d2ec/a3/a3-python-v2.md"
GH_AW_TRACKER_ID: "a3-python-analysis" GH_AW_TRACKER_ID: "a3-python-analysis"
GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
@ -891,7 +900,7 @@ jobs:
success: ${{ steps.parse_results.outputs.success }} success: ${{ steps.parse_results.outputs.success }}
steps: steps:
- name: Setup Scripts - name: Setup Scripts
uses: github/gh-aw/actions/setup@v0.45.0 uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
with: with:
destination: /opt/gh-aw/actions destination: /opt/gh-aw/actions
- name: Download agent artifacts - name: Download agent artifacts
@ -995,6 +1004,8 @@ jobs:
GH_AW_TRACKER_ID: "a3-python-analysis" GH_AW_TRACKER_ID: "a3-python-analysis"
GH_AW_WORKFLOW_ID: "a3-python-v2" GH_AW_WORKFLOW_ID: "a3-python-v2"
GH_AW_WORKFLOW_NAME: "A3 Python Code Analysis" GH_AW_WORKFLOW_NAME: "A3 Python Code Analysis"
GH_AW_WORKFLOW_SOURCE: "z3prover/z3/a3/a3-python-v2.md@a91c5c58bd975f336bf5b744885ffd4b36b2d2ec"
GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/z3prover/z3/tree/a91c5c58bd975f336bf5b744885ffd4b36b2d2ec/a3/a3-python-v2.md"
outputs: outputs:
create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }} create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }}
create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }} create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }}
@ -1002,7 +1013,7 @@ jobs:
process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
steps: steps:
- name: Setup Scripts - name: Setup Scripts
uses: github/gh-aw/actions/setup@v0.45.0 uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
with: with:
destination: /opt/gh-aw/actions destination: /opt/gh-aw/actions
- name: Download agent output artifact - name: Download agent output artifact

5
.github/workflows/a3-python-v2.md vendored
View file

@ -24,9 +24,9 @@ tracker-id: a3-python-analysis
steps: steps:
- name: Checkout Python source files - name: Checkout Python source files
run: | run: |
git sparse-checkout init --cone git sparse-checkout add src
git sparse-checkout set src
echo "Source files checked out for Python analysis" echo "Source files checked out for Python analysis"
source: z3prover/z3/a3/a3-python-v2.md@a91c5c58bd975f336bf5b744885ffd4b36b2d2ec
--- ---
# A3 Python Code Analysis Agent # A3 Python Code Analysis Agent
@ -36,6 +36,7 @@ You are an expert Python code analyst using the a3-python tool to identify bugs
## Current Context ## Current Context
- **Repository**: ${{ github.repository }} - **Repository**: ${{ github.repository }}
- **Analysis Date**: $(date +%Y-%m-%d)
- **Workspace**: ${{ github.workspace }} - **Workspace**: ${{ github.workspace }}
## Phase 1: Install and Setup a3-python ## Phase 1: Install and Setup a3-python

109
.github/workflows/a3-python.lock.yml generated vendored
View file

@ -13,15 +13,17 @@
# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \
# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
# #
# This file was automatically generated by gh-aw (v0.43.15). DO NOT EDIT. # This file was automatically generated by gh-aw (v0.45.0). DO NOT EDIT.
# #
# To update this file, edit the corresponding .md file and run: # To update this file, edit the corresponding .md file and run:
# gh aw compile # gh aw compile
# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # Not all edits will cause changes to this file.
#
# For more information: https://github.github.com/gh-aw/introduction/overview/
# #
# Analyzes Python code using a3-python tool to identify bugs and issues # Analyzes Python code using a3-python tool to identify bugs and issues
# #
# frontmatter-hash: 7348eb5596739e4071fab41ddb1f89d640e825c30d6a7c1a2ffc325cb76bf1ac # frontmatter-hash: 78c6f1b8d2b73100b4f2481152d146354737e02d4120064ea9e6bd1978c062c8
name: "A3 Python Code Analysis" name: "A3 Python Code Analysis"
"on": "on":
@ -46,7 +48,7 @@ jobs:
comment_repo: "" comment_repo: ""
steps: steps:
- name: Setup Scripts - name: Setup Scripts
uses: github/gh-aw/actions/setup@a0e753a02a1b3edc578b5c4c9d5d4eaf81ced5bd # v0.43.15 uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
with: with:
destination: /opt/gh-aw/actions destination: /opt/gh-aw/actions
- name: Check workflow file timestamps - name: Check workflow file timestamps
@ -78,6 +80,7 @@ jobs:
GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl
GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
GH_AW_WORKFLOW_ID_SANITIZED: a3python
outputs: outputs:
checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}
has_patch: ${{ steps.collect_output.outputs.has_patch }} has_patch: ${{ steps.collect_output.outputs.has_patch }}
@ -87,7 +90,7 @@ jobs:
secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
steps: steps:
- name: Setup Scripts - name: Setup Scripts
uses: github/gh-aw/actions/setup@a0e753a02a1b3edc578b5c4c9d5d4eaf81ced5bd # v0.43.15 uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
with: with:
destination: /opt/gh-aw/actions destination: /opt/gh-aw/actions
- name: Checkout repository - name: Checkout repository
@ -98,8 +101,7 @@ jobs:
run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
- name: Checkout Python source files - name: Checkout Python source files
run: |- run: |-
git sparse-checkout init --cone git sparse-checkout add src
git sparse-checkout set src
echo "Python source files checked out from src directory" echo "Python source files checked out from src directory"
- name: Configure Git credentials - name: Configure Git credentials
@ -139,8 +141,8 @@ jobs:
engine_name: "GitHub Copilot CLI", engine_name: "GitHub Copilot CLI",
model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "",
version: "", version: "",
agent_version: "0.0.407", agent_version: "0.0.410",
cli_version: "v0.43.15", cli_version: "v0.45.0",
workflow_name: "A3 Python Code Analysis", workflow_name: "A3 Python Code Analysis",
experimental: false, experimental: false,
supports_tools_allowlist: true, supports_tools_allowlist: true,
@ -154,10 +156,10 @@ jobs:
actor: context.actor, actor: context.actor,
event_name: context.eventName, event_name: context.eventName,
staged: false, staged: false,
allowed_domains: ["default","python"], allowed_domains: ["defaults","python"],
firewall_enabled: true, firewall_enabled: true,
awf_version: "v0.16.1", awf_version: "v0.18.0",
awmg_version: "", awmg_version: "v0.1.4",
steps: { steps: {
firewall: "squid" firewall: "squid"
}, },
@ -178,21 +180,21 @@ jobs:
env: env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Install GitHub Copilot CLI - name: Install GitHub Copilot CLI
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.407 run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.410
- name: Install awf binary - name: Install awf binary
run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.16.1 run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.18.0
- name: Determine automatic lockdown mode for GitHub MCP server - name: Determine automatic lockdown mode for GitHub MCP Server
id: determine-automatic-lockdown id: determine-automatic-lockdown
env:
TOKEN_CHECK: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
if: env.TOKEN_CHECK != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env:
GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
with: with:
script: | script: |
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core); await determineAutomaticLockdown(github, context, core);
- name: Download container images - name: Download container images
run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.16.1 ghcr.io/github/gh-aw-firewall/squid:0.16.1 ghcr.io/github/gh-aw-mcpg:v0.1.4 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.18.0 ghcr.io/github/gh-aw-firewall/squid:0.18.0 ghcr.io/github/gh-aw-mcpg:v0.1.4 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine
- name: Write Safe Outputs Config - name: Write Safe Outputs Config
run: | run: |
mkdir -p /opt/gh-aw/safeoutputs mkdir -p /opt/gh-aw/safeoutputs
@ -220,14 +222,15 @@ jobs:
"type": "array" "type": "array"
}, },
"parent": { "parent": {
"description": "Parent issue number for creating sub-issues. This is the numeric ID from the GitHub URL (e.g., 42 in github.com/owner/repo/issues/42). Can also be a temporary_id (e.g., 'aw_abc123def456') from a previously created issue in the same workflow run.", "description": "Parent issue number for creating sub-issues. This is the numeric ID from the GitHub URL (e.g., 42 in github.com/owner/repo/issues/42). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from a previously created issue in the same workflow run.",
"type": [ "type": [
"number", "number",
"string" "string"
] ]
}, },
"temporary_id": { "temporary_id": {
"description": "Unique temporary identifier for referencing this issue before it's created. Format: 'aw_' followed by 12 hex characters (e.g., 'aw_abc123def456'). Use '#aw_ID' in body text to reference other issues by their temporary_id; these are replaced with actual issue numbers after creation.", "description": "Unique temporary identifier for referencing this issue before it's created. Format: 'aw_' followed by 3 to 8 alphanumeric characters (e.g., 'aw_abc1', 'aw_Test123'). Use '#aw_ID' in body text to reference other issues by their temporary_id; these are replaced with actual issue numbers after creation.",
"pattern": "^aw_[A-Za-z0-9]{4,8}$",
"type": "string" "type": "string"
}, },
"title": { "title": {
@ -421,7 +424,7 @@ jobs:
bash /opt/gh-aw/actions/start_safe_outputs_server.sh bash /opt/gh-aw/actions/start_safe_outputs_server.sh
- name: Start MCP gateway - name: Start MCP Gateway
id: start-mcp-gateway id: start-mcp-gateway
env: env:
GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
@ -499,6 +502,7 @@ jobs:
cat << 'GH_AW_PROMPT_EOF' > "$GH_AW_PROMPT" cat << 'GH_AW_PROMPT_EOF' > "$GH_AW_PROMPT"
<system> <system>
GH_AW_PROMPT_EOF GH_AW_PROMPT_EOF
cat "/opt/gh-aw/prompts/xpia.md" >> "$GH_AW_PROMPT"
cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT"
cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT"
cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT" cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT"
@ -510,6 +514,19 @@ jobs:
<instructions> <instructions>
To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls.
Temporary IDs: Some safe output tools support a temporary ID field (usually named temporary_id) so you can reference newly-created items elsewhere in the SAME agent output (for example, using #aw_abc1 in a later body).
**IMPORTANT - temporary_id format rules:**
- If you DON'T need to reference the item later, OMIT the temporary_id field entirely (it will be auto-generated if needed)
- If you DO need cross-references/chaining, you MUST match this EXACT validation regex: /^aw_[A-Za-z0-9]{3,8}$/i
- Format: aw_ prefix followed by 3 to 8 alphanumeric characters (A-Z, a-z, 0-9, case-insensitive)
- Valid alphanumeric characters: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
- INVALID examples: aw_ab (too short), aw_123456789 (too long), aw_test-id (contains hyphen), aw_id_123 (contains underscore)
- VALID examples: aw_abc, aw_abc1, aw_Test123, aw_A1B2C3D4, aw_12345678
- To generate valid IDs: use 3-8 random alphanumeric characters or omit the field to let the system auto-generate
Do NOT invent other aw_* formats — downstream steps will reject them with validation errors matching against /^aw_[A-Za-z0-9]{3,8}$/i.
Discover available tools from the safeoutputs MCP server. Discover available tools from the safeoutputs MCP server.
**Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped.
@ -610,9 +627,8 @@ jobs:
timeout-minutes: 45 timeout-minutes: 45
run: | run: |
set -o pipefail set -o pipefail
sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,default,files.pythonhosted.org,github.com,host.docker.internal,pip.pypa.io,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,telemetry.enterprise.githubcopilot.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.16.1 --skip-pull \ sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.18.0 --skip-pull \
-- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
2>&1 | tee /tmp/gh-aw/agent-stdio.log
env: env:
COPILOT_AGENT_RUNNER_TYPE: STANDALONE COPILOT_AGENT_RUNNER_TYPE: STANDALONE
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
@ -653,7 +669,7 @@ jobs:
else else
echo "No session-state directory found at $SESSION_STATE_DIR" echo "No session-state directory found at $SESSION_STATE_DIR"
fi fi
- name: Stop MCP gateway - name: Stop MCP Gateway
if: always() if: always()
continue-on-error: true continue-on-error: true
env: env:
@ -686,10 +702,11 @@ jobs:
if-no-files-found: warn if-no-files-found: warn
- name: Ingest agent output - name: Ingest agent output
id: collect_output id: collect_output
if: always()
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env: env:
GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,default,files.pythonhosted.org,github.com,host.docker.internal,pip.pypa.io,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,telemetry.enterprise.githubcopilot.com" GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_SERVER_URL: ${{ github.server_url }}
GITHUB_API_URL: ${{ github.api_url }} GITHUB_API_URL: ${{ github.api_url }}
with: with:
@ -724,7 +741,7 @@ jobs:
setupGlobals(core, github, context, exec, io); setupGlobals(core, github, context, exec, io);
const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs');
await main(); await main();
- name: Parse MCP gateway logs for step summary - name: Parse MCP Gateway logs for step summary
if: always() if: always()
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
with: with:
@ -742,7 +759,12 @@ jobs:
# Fix permissions on firewall logs so they can be uploaded as artifacts # Fix permissions on firewall logs so they can be uploaded as artifacts
# AWF runs with sudo, creating files owned by root # AWF runs with sudo, creating files owned by root
sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true
awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
if command -v awf &> /dev/null; then
awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"
else
echo 'AWF binary not installed, skipping firewall log summary'
fi
- name: Upload agent artifacts - name: Upload agent artifacts
if: always() if: always()
continue-on-error: true continue-on-error: true
@ -768,16 +790,14 @@ jobs:
runs-on: ubuntu-slim runs-on: ubuntu-slim
permissions: permissions:
contents: read contents: read
discussions: write
issues: write issues: write
pull-requests: write
outputs: outputs:
noop_message: ${{ steps.noop.outputs.noop_message }} noop_message: ${{ steps.noop.outputs.noop_message }}
tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
total_count: ${{ steps.missing_tool.outputs.total_count }} total_count: ${{ steps.missing_tool.outputs.total_count }}
steps: steps:
- name: Setup Scripts - name: Setup Scripts
uses: github/gh-aw/actions/setup@a0e753a02a1b3edc578b5c4c9d5d4eaf81ced5bd # v0.43.15 uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
with: with:
destination: /opt/gh-aw/actions destination: /opt/gh-aw/actions
- name: Download agent output artifact - name: Download agent output artifact
@ -857,25 +877,6 @@ jobs:
setupGlobals(core, github, context, exec, io); setupGlobals(core, github, context, exec, io);
const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs');
await main(); await main();
- name: Update reaction comment with completion status
id: conclusion
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env:
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }}
GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
GH_AW_WORKFLOW_NAME: "A3 Python Code Analysis"
GH_AW_TRACKER_ID: "a3-python-analysis"
GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.result }}
with:
github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
script: |
const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
setupGlobals(core, github, context, exec, io);
const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs');
await main();
detection: detection:
needs: agent needs: agent
@ -889,7 +890,7 @@ jobs:
success: ${{ steps.parse_results.outputs.success }} success: ${{ steps.parse_results.outputs.success }}
steps: steps:
- name: Setup Scripts - name: Setup Scripts
uses: github/gh-aw/actions/setup@a0e753a02a1b3edc578b5c4c9d5d4eaf81ced5bd # v0.43.15 uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
with: with:
destination: /opt/gh-aw/actions destination: /opt/gh-aw/actions
- name: Download agent artifacts - name: Download agent artifacts
@ -931,7 +932,7 @@ jobs:
env: env:
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- name: Install GitHub Copilot CLI - name: Install GitHub Copilot CLI
run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.407 run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.410
- name: Execute GitHub Copilot CLI - name: Execute GitHub Copilot CLI
id: agentic_execution id: agentic_execution
# Copilot CLI tool arguments (sorted): # Copilot CLI tool arguments (sorted):
@ -1000,7 +1001,7 @@ jobs:
process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
steps: steps:
- name: Setup Scripts - name: Setup Scripts
uses: github/gh-aw/actions/setup@a0e753a02a1b3edc578b5c4c9d5d4eaf81ced5bd # v0.43.15 uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
with: with:
destination: /opt/gh-aw/actions destination: /opt/gh-aw/actions
- name: Download agent output artifact - name: Download agent output artifact

6
.github/workflows/a3-python.md vendored
View file

@ -8,7 +8,7 @@ permissions:
issues: read issues: read
pull-requests: read pull-requests: read
network: network:
allowed: [default, python] allowed: [defaults, python]
safe-outputs: safe-outputs:
create-issue: create-issue:
labels: labels:
@ -24,8 +24,7 @@ tracker-id: a3-python-analysis
steps: steps:
- name: Checkout Python source files - name: Checkout Python source files
run: | run: |
git sparse-checkout init --cone git sparse-checkout add src
git sparse-checkout set src
echo "Python source files checked out from src directory" echo "Python source files checked out from src directory"
--- ---
@ -36,6 +35,7 @@ You are an expert Python code analyst using the a3-python tool to identify bugs
## Current Context ## Current Context
- **Repository**: ${{ github.repository }} - **Repository**: ${{ github.repository }}
- **Analysis Date**: $(date +%Y-%m-%d)
- **Workspace**: ${{ github.workspace }} - **Workspace**: ${{ github.workspace }}
## Phase 1: Install and Setup a3-python ## Phase 1: Install and Setup a3-python