Agent Performance Analyzer - Meta-Orchestrator

Agent Performance Analyzer - Meta-Orchestrator #204

Workflow file for this run

.github/workflows/agent-performance-analyzer.lock.yml at fa32af8

	#
	# ___ _ _
	# / _ \ \| \| (_)
	# \| \|_\| \| __ _ ___ _ __ \| \|_ _ ___
	# \| _ \|/ _` \|/ _ \ '_ \\| __\| \|/ __\|
	# \| \| \| \| (_\| \| __/ \| \| \| \|_\| \| (__
	# \_\| \|_/\__, \|\___\|_\| \|_\|\__\|_\|\___\|
	# __/ \|
	# _ _ \|___/
	# \| \| \| \| / _\| \|
	# \| \| \| \| ___ _ __ _ __\| \|_\| \| _____ ____
	# \| \|/\\| \|/ _ \ '__\| \|/ /\| _\| \|/ _ \ \ /\ / / ___\|
	# \ /\ / (_) \| \| \| \| ( \| \| \| \| (_) \ V V /\__ \
	# \/ \/ \___/\|_\| \|_\|\_\\|_\| \|_\|\___/ \_/\_/ \|___/
	#
	# This file was automatically generated by gh-aw. DO NOT EDIT.
	#
	# To update this file, edit the corresponding .md file and run:
	# gh aw compile
	# Not all edits will cause changes to this file.
	#
	# For more information: https://github.github.com/gh-aw/introduction/overview/
	#
	# Meta-orchestrator that analyzes AI agent performance, quality, and effectiveness across the repository
	#
	# Resolved workflow manifest:
	# Imports:
	# - shared/mood.md
	# - shared/reporting.md
	#
	# frontmatter-hash: ecdacefedd21b4c7137f4d517cbc6e88cffbcf923d831cf2fdfb11d2c073302a

	name: "Agent Performance Analyzer - Meta-Orchestrator"
	"on":
	schedule:
	- cron: "13 1 * * *"
	# Friendly format: daily (scattered)
	workflow_dispatch:

	permissions: {}

	concurrency:
	group: "gh-aw-${{ github.workflow }}"

	run-name: "Agent Performance Analyzer - Meta-Orchestrator"

	jobs:
	activation:
	needs: pre_activation
	if: needs.pre_activation.outputs.activated == 'true'
	runs-on: ubuntu-slim
	permissions:
	contents: read
	outputs:
	comment_id: ""
	comment_repo: ""
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: /opt/gh-aw/actions
	- name: Check workflow file timestamps
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_WORKFLOW_FILE: "agent-performance-analyzer.lock.yml"
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs');
	await main();

	agent:
	needs: activation
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	discussions: read
	issues: read
	pull-requests: read
	concurrency:
	group: "gh-aw-copilot-${{ github.workflow }}"
	env:
	DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
	GH_AW_ASSETS_ALLOWED_EXTS: ""
	GH_AW_ASSETS_BRANCH: ""
	GH_AW_ASSETS_MAX_SIZE_KB: 0
	GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
	GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl
	GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
	GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
	outputs:
	checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success \|\| 'true' }}
	has_patch: ${{ steps.collect_output.outputs.has_patch }}
	model: ${{ steps.generate_aw_info.outputs.model }}
	output: ${{ steps.collect_output.outputs.output }}
	output_types: ${{ steps.collect_output.outputs.output_types }}
	secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: /opt/gh-aw/actions
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	- name: Setup Go for CLI build
	uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
	with:
	go-version-file: go.mod
	cache: true
	- name: Build gh-aw CLI
	run: \|
	echo "Building gh-aw CLI for linux/amd64..."
	mkdir -p dist
	VERSION=$(git describe --tags --always --dirty)
	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
	-ldflags "-s -w -X main.version=${VERSION}" \
	-o dist/gh-aw-linux-amd64 \
	./cmd/gh-aw
	# Copy binary to root for direct execution in user-defined steps
	cp dist/gh-aw-linux-amd64 ./gh-aw
	chmod +x ./gh-aw
	echo "✓ Built gh-aw CLI successfully"
	- name: Setup Docker Buildx
	uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
	- name: Build gh-aw Docker image
	uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
	with:
	context: .
	platforms: linux/amd64
	push: false
	load: true
	tags: localhost/gh-aw:dev
	build-args: \|
	BINARY=dist/gh-aw-linux-amd64
	- name: Create gh-aw temp directory
	run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
	# Repo memory git-based storage configuration from frontmatter processed below
	- name: Clone repo-memory branch (default)
	env:
	GH_TOKEN: ${{ github.token }}
	BRANCH_NAME: memory/meta-orchestrators
	TARGET_REPO: ${{ github.repository }}
	MEMORY_DIR: /tmp/gh-aw/repo-memory/default
	CREATE_ORPHAN: true
	run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh
	- name: Configure Git credentials
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Checkout PR branch
	id: checkout-pr
	if: \|
	github.event.pull_request
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs');
	await main();
	- name: Generate agentic run info
	id: generate_aw_info
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const fs = require('fs');

	const awInfo = {
	engine_id: "copilot",
	engine_name: "GitHub Copilot CLI",
	model: process.env.GH_AW_MODEL_AGENT_COPILOT \|\| "",
	version: "",
	agent_version: "0.0.409",
	workflow_name: "Agent Performance Analyzer - Meta-Orchestrator",
	experimental: false,
	supports_tools_allowlist: true,
	supports_http_transport: true,
	run_id: context.runId,
	run_number: context.runNumber,
	run_attempt: process.env.GITHUB_RUN_ATTEMPT,
	repository: context.repo.owner + '/' + context.repo.repo,
	ref: context.ref,
	sha: context.sha,
	actor: context.actor,
	event_name: context.eventName,
	staged: false,
	allowed_domains: ["defaults"],
	firewall_enabled: true,
	awf_version: "v0.17.0",
	awmg_version: "",
	steps: {
	firewall: "squid"
	},
	created_at: new Date().toISOString()
	};

	// Write to /tmp/gh-aw directory to avoid inclusion in PR
	const tmpPath = '/tmp/gh-aw/aw_info.json';
	fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
	console.log('Generated aw_info.json at:', tmpPath);
	console.log(JSON.stringify(awInfo, null, 2));

	// Set model as output for reuse in other steps/jobs
	core.setOutput('model', awInfo.model);
	- name: Validate COPILOT_GITHUB_TOKEN secret
	id: validate-secret
	run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
	env:
	COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
	- name: Install GitHub Copilot CLI
	run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.409
	- name: Install awf binary
	run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.17.0
	- name: Determine automatic lockdown mode for GitHub MCP server
	id: determine-automatic-lockdown
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
	GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
	with:
	script: \|
	const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
	await determineAutomaticLockdown(github, context, core);
	- name: Download container images
	run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.17.0 ghcr.io/github/gh-aw-firewall/squid:0.17.0 ghcr.io/github/gh-aw-mcpg:v0.1.4 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine
	- name: Install gh-aw extension
	env:
	GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	run: \|
	# Check if gh-aw extension is already installed
	if gh extension list \| grep -q "github/gh-aw"; then
	echo "gh-aw extension already installed, upgrading..."
	gh extension upgrade gh-aw \|\| true
	else
	echo "Installing gh-aw extension..."
	gh extension install github/gh-aw
	fi
	gh aw --version
	# Copy the gh-aw binary to /opt/gh-aw for MCP server containerization
	mkdir -p /opt/gh-aw
	GH_AW_BIN=$(which gh-aw 2>/dev/null \|\| find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null \| head -1)
	if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then
	cp "$GH_AW_BIN" /opt/gh-aw/gh-aw
	chmod +x /opt/gh-aw/gh-aw
	echo "Copied gh-aw binary to /opt/gh-aw/gh-aw"
	else
	echo "::error::Failed to find gh-aw binary for MCP server"
	exit 1
	fi
	- name: Write Safe Outputs Config
	run: \|
	mkdir -p /opt/gh-aw/safeoutputs
	mkdir -p /tmp/gh-aw/safeoutputs
	mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
	cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF'
	{"add_comment":{"max":10},"create_discussion":{"expires":168,"max":2},"create_issue":{"expires":48,"group":true,"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}}
	GH_AW_SAFE_OUTPUTS_CONFIG_EOF
	cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF'
	[
	{
	"description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Labels [cookie] will be automatically added.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"body": {
	"description": "Detailed issue description in Markdown. Do NOT repeat the title as a heading since it already appears as the issue's h1. Include context, reproduction steps, or acceptance criteria as appropriate.",
	"type": "string"
	},
	"labels": {
	"description": "Labels to categorize the issue (e.g., 'bug', 'enhancement'). Labels must exist in the repository.",
	"items": {
	"type": "string"
	},
	"type": "array"
	},
	"parent": {
	"description": "Parent issue number for creating sub-issues. This is the numeric ID from the GitHub URL (e.g., 42 in github.com/owner/repo/issues/42). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from a previously created issue in the same workflow run.",
	"type": [
	"number",
	"string"
	]
	},
	"temporary_id": {
	"description": "Unique temporary identifier for referencing this issue before it's created. Format: 'aw_' followed by 3 to 8 alphanumeric characters (e.g., 'aw_abc1', 'aw_Test123'). Use '#aw_ID' in body text to reference other issues by their temporary_id; these are replaced with actual issue numbers after creation.",
	"pattern": "^aw_[A-Za-z0-9]{4,8}$",
	"type": "string"
	},
	"title": {
	"description": "Concise issue title summarizing the bug, feature, or task. The title appears as the main heading, so keep it brief and descriptive.",
	"type": "string"
	}
	},
	"required": [
	"title",
	"body"
	],
	"type": "object"
	},
	"name": "create_issue"
	},
	{
	"description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 2 discussion(s) can be created.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"body": {
	"description": "Discussion content in Markdown. Do NOT repeat the title as a heading since it already appears as the discussion's h1. Include all relevant context, findings, or questions.",
	"type": "string"
	},
	"category": {
	"description": "Discussion category by name (e.g., 'General'), slug (e.g., 'general'), or ID. If omitted, uses the first available category. Category must exist in the repository.",
	"type": "string"
	},
	"title": {
	"description": "Concise discussion title summarizing the topic. The title appears as the main heading, so keep it brief and descriptive.",
	"type": "string"
	}
	},
	"required": [
	"title",
	"body"
	],
	"type": "object"
	},
	"name": "create_discussion"
	},
	{
	"description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 10 comment(s) can be added.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"body": {
	"description": "The comment text in Markdown format. This is the 'body' field - do not use 'comment_body' or other variations. Provide helpful, relevant information that adds value to the conversation.",
	"type": "string"
	},
	"item_number": {
	"description": "The issue, pull request, or discussion number to comment on. This is the numeric ID from the GitHub URL (e.g., 123 in github.com/owner/repo/issues/123). If omitted, the tool will attempt to resolve the target from the current workflow context (triggering issue, PR, or discussion).",
	"type": "number"
	}
	},
	"required": [
	"body"
	],
	"type": "object"
	},
	"name": "add_comment"
	},
	{
	"description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"alternatives": {
	"description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).",
	"type": "string"
	},
	"reason": {
	"description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).",
	"type": "string"
	},
	"tool": {
	"description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.",
	"type": "string"
	}
	},
	"required": [
	"reason"
	],
	"type": "object"
	},
	"name": "missing_tool"
	},
	{
	"description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"message": {
	"description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing').",
	"type": "string"
	}
	},
	"required": [
	"message"
	],
	"type": "object"
	},
	"name": "noop"
	},
	{
	"description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.",
	"inputSchema": {
	"additionalProperties": false,
	"properties": {
	"alternatives": {
	"description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).",
	"type": "string"
	},
	"context": {
	"description": "Additional context about the missing data or where it should come from (max 256 characters).",
	"type": "string"
	},
	"data_type": {
	"description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.",
	"type": "string"
	},
	"reason": {
	"description": "Explanation of why this data is needed to complete the task (max 256 characters).",
	"type": "string"
	}
	},
	"required": [],
	"type": "object"
	},
	"name": "missing_data"
	}
	]
	GH_AW_SAFE_OUTPUTS_TOOLS_EOF
	cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF'
	{
	"add_comment": {
	"defaultMax": 1,
	"fields": {
	"body": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	},
	"item_number": {
	"issueOrPRNumber": true
	}
	}
	},
	"create_discussion": {
	"defaultMax": 1,
	"fields": {
	"body": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	},
	"category": {
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	},
	"repo": {
	"type": "string",
	"maxLength": 256
	},
	"title": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	}
	}
	},
	"create_issue": {
	"defaultMax": 1,
	"fields": {
	"body": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	},
	"labels": {
	"type": "array",
	"itemType": "string",
	"itemSanitize": true,
	"itemMaxLength": 128
	},
	"parent": {
	"issueOrPRNumber": true
	},
	"repo": {
	"type": "string",
	"maxLength": 256
	},
	"temporary_id": {
	"type": "string"
	},
	"title": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	}
	}
	},
	"missing_tool": {
	"defaultMax": 20,
	"fields": {
	"alternatives": {
	"type": "string",
	"sanitize": true,
	"maxLength": 512
	},
	"reason": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 256
	},
	"tool": {
	"type": "string",
	"sanitize": true,
	"maxLength": 128
	}
	}
	},
	"noop": {
	"defaultMax": 1,
	"fields": {
	"message": {
	"required": true,
	"type": "string",
	"sanitize": true,
	"maxLength": 65000
	}
	}
	}
	}
	GH_AW_SAFE_OUTPUTS_VALIDATION_EOF
	- name: Generate Safe Outputs MCP Server Config
	id: safe-outputs-config
	run: \|
	# Generate a secure random API key (360 bits of entropy, 40+ chars)
	# Mask immediately to prevent timing vulnerabilities
	API_KEY=$(openssl rand -base64 45 \| tr -d '/+=')
	echo "::add-mask::${API_KEY}"

	PORT=3001

	# Set outputs for next steps
	{
	echo "safe_outputs_api_key=${API_KEY}"
	echo "safe_outputs_port=${PORT}"
	} >> "$GITHUB_OUTPUT"

	echo "Safe Outputs MCP server will run on port ${PORT}"

	- name: Start Safe Outputs MCP HTTP Server
	id: safe-outputs-start
	env:
	DEBUG: '*'
	GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
	GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
	GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json
	GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json
	GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
	run: \|
	# Environment variables are set above to prevent template injection
	export DEBUG
	export GH_AW_SAFE_OUTPUTS_PORT
	export GH_AW_SAFE_OUTPUTS_API_KEY
	export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
	export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
	export GH_AW_MCP_LOG_DIR

	bash /opt/gh-aw/actions/start_safe_outputs_server.sh

	- name: Start MCP gateway
	id: start-mcp-gateway
	env:
	GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
	GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
	GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
	GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' \|\| '0' }}
	GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN \|\| secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	set -eo pipefail
	mkdir -p /tmp/gh-aw/mcp-config

	# Export gateway environment variables for MCP config and gateway script
	export MCP_GATEWAY_PORT="80"
	export MCP_GATEWAY_DOMAIN="host.docker.internal"
	MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 \| tr -d '/+=')
	echo "::add-mask::${MCP_GATEWAY_API_KEY}"
	export MCP_GATEWAY_API_KEY
	export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads"
	mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}"
	export DEBUG="*"

	export GH_AW_ENGINE="copilot"
	export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.4'

	mkdir -p /home/runner/.copilot
	cat << GH_AW_MCP_CONFIG_EOF \| bash /opt/gh-aw/actions/start_mcp_gateway.sh
	{
	"mcpServers": {
	"agenticworkflows": {
	"type": "stdio",
	"container": "localhost/gh-aw:dev",
	"mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"],
	"args": ["--network", "host", "-w", "\${GITHUB_WORKSPACE}"],
	"env": {
	"DEBUG": "*",
	"GITHUB_TOKEN": "\${GITHUB_TOKEN}",
	"GITHUB_ACTOR": "\${GITHUB_ACTOR}",
	"GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}"
	}
	},
	"github": {
	"type": "stdio",
	"container": "ghcr.io/github/github-mcp-server:v0.30.3",
	"env": {
	"GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN",
	"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
	"GITHUB_READ_ONLY": "1",
	"GITHUB_TOOLSETS": "context,repos,issues,pull_requests,actions"
	}
	},
	"safeoutputs": {
	"type": "http",
	"url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
	"headers": {
	"Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
	}
	}
	},
	"gateway": {
	"port": $MCP_GATEWAY_PORT,
	"domain": "${MCP_GATEWAY_DOMAIN}",
	"apiKey": "${MCP_GATEWAY_API_KEY}",
	"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
	}
	}
	GH_AW_MCP_CONFIG_EOF
	- name: Generate workflow overview
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs');
	await generateWorkflowOverview(core);
	- name: Create prompt with built-in context
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
	GH_AW_GITHUB_ACTOR: ${{ github.actor }}
	GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
	GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
	GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
	GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
	run: \|
	bash /opt/gh-aw/actions/create_prompt_first.sh
	cat << 'GH_AW_PROMPT_EOF' > "$GH_AW_PROMPT"
	<system>
	GH_AW_PROMPT_EOF
	cat "/opt/gh-aw/prompts/xpia.md" >> "$GH_AW_PROMPT"
	cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT"
	cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT"
	cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT"

	---

	## Repo Memory Available

	You have access to a persistent repo memory folder at `/tmp/gh-aw/repo-memory/default/` where you can read and write files that are stored in a git branch.

	- Read/Write Access: You can freely read from and write to any files in this folder
	- Git Branch Storage: Files are stored in the `memory/meta-orchestrators` branch of the current repository
	- Automatic Push: Changes are automatically committed and pushed after the workflow completes
	- Merge Strategy: In case of conflicts, your changes (current version) win
	- Persistence: Files persist across workflow runs via git branch storage
	- Allowed File Types: Only the following file extensions are allowed: `.json`, `.jsonl`, `.txt`, `.md`, `.csv`. Files with other extensions will be rejected during validation.

	Constraints:
	- Allowed Files: Only files matching patterns: **
	- Max File Size: 102400 bytes (0.10 MB) per file
	- Max File Count: 100 files per commit

	Examples of what you can store:
	- `/tmp/gh-aw/repo-memory/default/notes.md` - general notes and observations
	- `/tmp/gh-aw/repo-memory/default/notes.txt` - plain text notes
	- `/tmp/gh-aw/repo-memory/default/state.json` - structured state data
	- `/tmp/gh-aw/repo-memory/default/history.jsonl` - activity history in JSON Lines format
	- `/tmp/gh-aw/repo-memory/default/data.csv` - tabular data
	- `/tmp/gh-aw/repo-memory/default/history/` - organized history files in subdirectories (with allowed file types)

	Feel free to create, read, update, and organize files in this folder as needed for your tasks, using only the allowed file types.

	<safe-outputs>
	<description>GitHub API Access Instructions</description>
	<important>
	The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations.
	</important>
	<instructions>
	To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls.

	Temporary IDs: Some safe output tools support a temporary ID field (usually named temporary_id) so you can reference newly-created items elsewhere in the SAME agent output (for example, using #aw_abc1 in a later body).

	IMPORTANT - temporary_id format rules:
	- If you DON'T need to reference the item later, OMIT the temporary_id field entirely (it will be auto-generated if needed)
	- If you DO need cross-references/chaining, you MUST match this EXACT validation regex: /^aw_[A-Za-z0-9]{3,8}$/i
	- Format: aw_ prefix followed by 3 to 8 alphanumeric characters (A-Z, a-z, 0-9, case-insensitive)
	- Valid alphanumeric characters: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
	- INVALID examples: aw_ab (too short), aw_123456789 (too long), aw_test-id (contains hyphen), aw_id_123 (contains underscore)
	- VALID examples: aw_abc, aw_abc1, aw_Test123, aw_A1B2C3D4, aw_12345678
	- To generate valid IDs: use 3-8 random alphanumeric characters or omit the field to let the system auto-generate

	Do NOT invent other aw_* formats — downstream steps will reject them with validation errors matching against /^aw_[A-Za-z0-9]{3,8}$/i.

	Discover available tools from the safeoutputs MCP server.

	Critical: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped.

	Note: If you made no other safe output tool calls during this workflow execution, call the "noop" tool to provide a status message indicating completion or that no actions were needed.
	</instructions>
	</safe-outputs>
	<github-context>
	The following GitHub context information is available for this workflow:
	{{#if __GH_AW_GITHUB_ACTOR__ }}
	- actor: __GH_AW_GITHUB_ACTOR__
	{{/if}}
	{{#if __GH_AW_GITHUB_REPOSITORY__ }}
	- repository: __GH_AW_GITHUB_REPOSITORY__
	{{/if}}
	{{#if __GH_AW_GITHUB_WORKSPACE__ }}
	- workspace: __GH_AW_GITHUB_WORKSPACE__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }}
	- issue-number: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }}
	- discussion-number: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }}
	- pull-request-number: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__
	{{/if}}
	{{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }}
	- comment-id: __GH_AW_GITHUB_EVENT_COMMENT_ID__
	{{/if}}
	{{#if __GH_AW_GITHUB_RUN_ID__ }}
	- workflow-run-id: __GH_AW_GITHUB_RUN_ID__
	{{/if}}
	</github-context>

	GH_AW_PROMPT_EOF
	cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT"
	</system>
	GH_AW_PROMPT_EOF
	cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT"
	{{#runtime-import .github/workflows/shared/mood.md}}
	GH_AW_PROMPT_EOF
	cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT"
	{{#runtime-import .github/workflows/shared/reporting.md}}
	GH_AW_PROMPT_EOF
	cat << 'GH_AW_PROMPT_EOF' >> "$GH_AW_PROMPT"
	{{#runtime-import .github/workflows/agent-performance-analyzer.md}}
	GH_AW_PROMPT_EOF
	- name: Substitute placeholders
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_GITHUB_ACTOR: ${{ github.actor }}
	GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
	GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
	GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
	GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
	with:
	script: \|
	const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');

	// Call the substitution function
	return await substitutePlaceholders({
	file: process.env.GH_AW_PROMPT,
	substitutions: {
	GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR,
	GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID,
	GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER,
	GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER,
	GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER,
	GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY,
	GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID,
	GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE
	}
	});
	- name: Interpolate variables and render templates
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs');
	await main();
	- name: Validate prompt placeholders
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh
	- name: Print prompt
	env:
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	run: bash /opt/gh-aw/actions/print_prompt_summary.sh
	- name: Clean git credentials
	run: bash /opt/gh-aw/actions/clean_git_credentials.sh
	- name: Execute GitHub Copilot CLI
	id: agentic_execution
	# Copilot CLI tool arguments (sorted):
	timeout-minutes: 30
	run: \|
	set -o pipefail
	sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.17.0 --skip-pull \
	-- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
	2>&1 \| tee /tmp/gh-aw/agent-stdio.log
	env:
	COPILOT_AGENT_RUNNER_TYPE: STANDALONE
	COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
	GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
	GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT \|\| '' }}
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
	GITHUB_HEAD_REF: ${{ github.head_ref }}
	GITHUB_REF_NAME: ${{ github.ref_name }}
	GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
	GITHUB_WORKSPACE: ${{ github.workspace }}
	XDG_CONFIG_HOME: /home/runner
	- name: Configure Git credentials
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Copy Copilot session state files to logs
	if: always()
	continue-on-error: true
	run: \|
	# Copy Copilot session state files to logs folder for artifact collection
	# This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
	SESSION_STATE_DIR="$HOME/.copilot/session-state"
	LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"

	if [ -d "$SESSION_STATE_DIR" ]; then
	echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
	mkdir -p "$LOGS_DIR"
	cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null \|\| true
	echo "Session state files copied successfully"
	else
	echo "No session-state directory found at $SESSION_STATE_DIR"
	fi
	- name: Stop MCP gateway
	if: always()
	continue-on-error: true
	env:
	MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }}
	MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
	GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }}
	run: \|
	bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID"
	- name: Redact secrets in logs
	if: always()
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');
	await main();
	env:
	GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
	SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
	SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
	SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
	SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Upload Safe Outputs
	if: always()
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
	with:
	name: safe-output
	path: ${{ env.GH_AW_SAFE_OUTPUTS }}
	if-no-files-found: warn
	- name: Ingest agent output
	id: collect_output
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
	GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
	GITHUB_SERVER_URL: ${{ github.server_url }}
	GITHUB_API_URL: ${{ github.api_url }}
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs');
	await main();
	- name: Upload sanitized agent output
	if: always() && env.GH_AW_AGENT_OUTPUT
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
	with:
	name: agent-output
	path: ${{ env.GH_AW_AGENT_OUTPUT }}
	if-no-files-found: warn
	- name: Upload engine output files
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
	with:
	name: agent_outputs
	path: \|
	/tmp/gh-aw/sandbox/agent/logs/
	/tmp/gh-aw/redacted-urls.log
	if-no-files-found: ignore
	- name: Parse agent logs for step summary
	if: always()
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs');
	await main();
	- name: Parse MCP gateway logs for step summary
	if: always()
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs');
	await main();
	- name: Print firewall logs
	if: always()
	continue-on-error: true
	env:
	AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
	run: \|
	# Fix permissions on firewall logs so they can be uploaded as artifacts
	# AWF runs with sudo, creating files owned by root
	sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null \|\| true
	awf logs summary \| tee -a "$GITHUB_STEP_SUMMARY"
	# Upload repo memory as artifacts for push job
	- name: Upload repo-memory artifact (default)
	if: always()
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
	with:
	name: repo-memory-default
	path: /tmp/gh-aw/repo-memory/default
	retention-days: 1
	if-no-files-found: ignore
	- name: Upload agent artifacts
	if: always()
	continue-on-error: true
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
	with:
	name: agent-artifacts
	path: \|
	/tmp/gh-aw/aw-prompts/prompt.txt
	/tmp/gh-aw/aw_info.json
	/tmp/gh-aw/mcp-logs/
	/tmp/gh-aw/sandbox/firewall/logs/
	/tmp/gh-aw/agent-stdio.log
	/tmp/gh-aw/agent/
	if-no-files-found: ignore

	conclusion:
	needs:
	- activation
	- agent
	- detection
	- push_repo_memory
	- safe_outputs
	if: (always()) && (needs.agent.result != 'skipped')
	runs-on: ubuntu-slim
	permissions:
	contents: read
	discussions: write
	issues: write
	pull-requests: write
	outputs:
	noop_message: ${{ steps.noop.outputs.noop_message }}
	tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
	total_count: ${{ steps.missing_tool.outputs.total_count }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: /opt/gh-aw/actions
	- name: Download agent output artifact
	continue-on-error: true
	uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
	with:
	name: agent-output
	path: /tmp/gh-aw/safeoutputs/
	- name: Setup agent output environment variable
	run: \|
	mkdir -p /tmp/gh-aw/safeoutputs/
	find "/tmp/gh-aw/safeoutputs/" -type f -print
	echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
	- name: Process No-Op Messages
	id: noop
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_NOOP_MAX: 1
	GH_AW_WORKFLOW_NAME: "Agent Performance Analyzer - Meta-Orchestrator"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/noop.cjs');
	await main();
	- name: Record Missing Tool
	id: missing_tool
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_WORKFLOW_NAME: "Agent Performance Analyzer - Meta-Orchestrator"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/missing_tool.cjs');
	await main();
	- name: Handle Agent Failure
	id: handle_agent_failure
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_WORKFLOW_NAME: "Agent Performance Analyzer - Meta-Orchestrator"
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
	GH_AW_WORKFLOW_ID: "agent-performance-analyzer"
	GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }}
	GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
	GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }}
	GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }}
	GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }}
	GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }}
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs');
	await main();
	- name: Handle No-Op Message
	id: handle_noop_message
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_WORKFLOW_NAME: "Agent Performance Analyzer - Meta-Orchestrator"
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
	GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }}
	GH_AW_NOOP_REPORT_AS_ISSUE: "true"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs');
	await main();
	- name: Update reaction comment with completion status
	id: conclusion
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
	GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }}
	GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	GH_AW_WORKFLOW_NAME: "Agent Performance Analyzer - Meta-Orchestrator"
	GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
	GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.result }}
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs');
	await main();

	detection:
	needs: agent
	if: needs.agent.outputs.output_types != '' \|\| needs.agent.outputs.has_patch == 'true'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	concurrency:
	group: "gh-aw-copilot-${{ github.workflow }}"
	timeout-minutes: 10
	outputs:
	success: ${{ steps.parse_results.outputs.success }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: /opt/gh-aw/actions
	- name: Download agent artifacts
	continue-on-error: true
	uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
	with:
	name: agent-artifacts
	path: /tmp/gh-aw/threat-detection/
	- name: Download agent output artifact
	continue-on-error: true
	uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
	with:
	name: agent-output
	path: /tmp/gh-aw/threat-detection/
	- name: Echo agent output types
	env:
	AGENT_OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }}
	run: \|
	echo "Agent output-types: $AGENT_OUTPUT_TYPES"
	- name: Setup threat detection
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	WORKFLOW_NAME: "Agent Performance Analyzer - Meta-Orchestrator"
	WORKFLOW_DESCRIPTION: "Meta-orchestrator that analyzes AI agent performance, quality, and effectiveness across the repository"
	HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs');
	await main();
	- name: Ensure threat-detection directory and log
	run: \|
	mkdir -p /tmp/gh-aw/threat-detection
	touch /tmp/gh-aw/threat-detection/detection.log
	- name: Validate COPILOT_GITHUB_TOKEN secret
	id: validate-secret
	run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
	env:
	COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
	- name: Install GitHub Copilot CLI
	run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.409
	- name: Execute GitHub Copilot CLI
	id: agentic_execution
	# Copilot CLI tool arguments (sorted):
	# --allow-tool shell(cat)
	# --allow-tool shell(grep)
	# --allow-tool shell(head)
	# --allow-tool shell(jq)
	# --allow-tool shell(ls)
	# --allow-tool shell(tail)
	# --allow-tool shell(wc)
	timeout-minutes: 20
	run: \|
	set -o pipefail
	COPILOT_CLI_INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"
	mkdir -p /tmp/
	mkdir -p /tmp/gh-aw/
	mkdir -p /tmp/gh-aw/agent/
	mkdir -p /tmp/gh-aw/sandbox/agent/logs/
	copilot --add-dir /tmp/ --add-dir /tmp/gh-aw/ --add-dir /tmp/gh-aw/agent/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-tool 'shell(cat)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(jq)' --allow-tool 'shell(ls)' --allow-tool 'shell(tail)' --allow-tool 'shell(wc)' --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$COPILOT_CLI_INSTRUCTION"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"} 2>&1 \| tee /tmp/gh-aw/threat-detection/detection.log
	env:
	COPILOT_AGENT_RUNNER_TYPE: STANDALONE
	COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
	GH_AW_MODEL_DETECTION_COPILOT: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT \|\| '' }}
	GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
	GITHUB_HEAD_REF: ${{ github.head_ref }}
	GITHUB_REF_NAME: ${{ github.ref_name }}
	GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
	GITHUB_WORKSPACE: ${{ github.workspace }}
	XDG_CONFIG_HOME: /home/runner
	- name: Parse threat detection results
	id: parse_results
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs');
	await main();
	- name: Upload threat detection log
	if: always()
	uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
	with:
	name: threat-detection.log
	path: /tmp/gh-aw/threat-detection/detection.log
	if-no-files-found: ignore

	pre_activation:
	runs-on: ubuntu-slim
	permissions:
	contents: read
	outputs:
	activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: /opt/gh-aw/actions
	- name: Check team membership for workflow
	id: check_membership
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_REQUIRED_ROLES: admin,maintainer,write
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/check_membership.cjs');
	await main();

	push_repo_memory:
	needs:
	- agent
	- detection
	if: always() && needs.detection.outputs.success == 'true'
	runs-on: ubuntu-latest
	permissions:
	contents: write
	outputs:
	validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }}
	validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: /opt/gh-aw/actions
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	sparse-checkout: .
	- name: Configure Git credentials
	env:
	REPO_NAME: ${{ github.repository }}
	SERVER_URL: ${{ github.server_url }}
	run: \|
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	# Re-authenticate git with GitHub token
	SERVER_URL_STRIPPED="${SERVER_URL#https://}"
	git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
	echo "Git configured with standard GitHub Actions identity"
	- name: Download repo-memory artifact (default)
	uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
	continue-on-error: true
	with:
	name: repo-memory-default
	path: /tmp/gh-aw/repo-memory/default
	- name: Push repo-memory changes (default)
	id: push_repo_memory_default
	if: always()
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_TOKEN: ${{ github.token }}
	GITHUB_RUN_ID: ${{ github.run_id }}
	ARTIFACT_DIR: /tmp/gh-aw/repo-memory/default
	MEMORY_ID: default
	TARGET_REPO: ${{ github.repository }}
	BRANCH_NAME: memory/meta-orchestrators
	MAX_FILE_SIZE: 102400
	MAX_FILE_COUNT: 100
	ALLOWED_EXTENSIONS: '[]'
	FILE_GLOB_FILTER: "**"
	with:
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs');
	await main();

	safe_outputs:
	needs:
	- agent
	- detection
	if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.detection.outputs.success == 'true')
	runs-on: ubuntu-slim
	permissions:
	contents: read
	discussions: write
	issues: write
	pull-requests: write
	timeout-minutes: 15
	env:
	GH_AW_ENGINE_ID: "copilot"
	GH_AW_WORKFLOW_ID: "agent-performance-analyzer"
	GH_AW_WORKFLOW_NAME: "Agent Performance Analyzer - Meta-Orchestrator"
	outputs:
	create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }}
	create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }}
	process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }}
	process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
	steps:
	- name: Checkout actions folder
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	sparse-checkout: \|
	actions
	persist-credentials: false
	- name: Setup Scripts
	uses: ./actions/setup
	with:
	destination: /opt/gh-aw/actions
	- name: Download agent output artifact
	continue-on-error: true
	uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
	with:
	name: agent-output
	path: /tmp/gh-aw/safeoutputs/
	- name: Setup agent output environment variable
	run: \|
	mkdir -p /tmp/gh-aw/safeoutputs/
	find "/tmp/gh-aw/safeoutputs/" -type f -print
	echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
	- name: Process Safe Outputs
	id: process_safe_outputs
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
	env:
	GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
	GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":10},\"create_discussion\":{\"expires\":168,\"fallback_to_issue\":true,\"max\":2},\"create_issue\":{\"expires\":48,\"group\":true,\"labels\":[\"cookie\"],\"max\":5},\"missing_data\":{},\"missing_tool\":{}}"
	with:
	github-token: ${{ secrets.GH_AW_GITHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	script: \|
	const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
	setupGlobals(core, github, context, exec, io);
	const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs');
	await main();

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Agent Performance Analyzer - Meta-Orchestrator #204

Workflow file

Agent Performance Analyzer - Meta-Orchestrator #204

Uh oh!

Workflow file for this run