From 9418ede877bd3bfe6cdd05265fe1a81494823f02 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 27 Feb 2026 13:11:37 +0000
Subject: [PATCH 1/2] Initial plan
From 3f80253f24ae8d61d65b0f559805f46bf15506e9 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 27 Feb 2026 13:44:36 +0000
Subject: [PATCH 2/2] Update actions/checkout to v6 everywhere
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
.github/workflows/ci.yml | 46 +-
.github/workflows/codeql.yml | 2 +-
.github/workflows/copilot-maintenance.yml | 2 +-
.github/workflows/copilot-setup-steps.yml | 2 +-
.../daily-copilot-token-report.lock.yml | 2 +-
.github/workflows/docs.yml | 2 +-
.github/workflows/format-and-commit.yml | 2 +-
.github/workflows/hourly-ci-cleaner.lock.yml | 4 +-
.github/workflows/hourly-ci-cleaner.md | 2 +-
.github/workflows/install.yml | 4 +-
.github/workflows/integration-agentics.yml | 2 +-
.github/workflows/license-check.yml | 2 +-
.github/workflows/link-check.yml | 2 +-
.github/workflows/security-scan.yml | 6 +-
.github/workflows/shared/mcp-debug.md | 2 +-
.github/workflows/vet.yml | 2 +-
actions/setup-cli/README.md | 2 +-
actions/setup/README.md | 2 +-
docs/src/content/docs/examples/multi-repo.md | 4 +-
.../guides/deterministic-agentic-patterns.md | 2 +-
.../docs/guides/github-actions-primer.md | 8 +-
.../content/docs/patterns/multi-repo-ops.md | 4 +-
docs/src/content/docs/patterns/trial-ops.md | 2 +-
.../docs/reference/compilation-process.md | 4 +-
.../docs/reference/cross-repository.md | 4 +-
.../src/content/docs/reference/frontmatter.md | 2 +-
pkg/cli/copilot_setup.go | 6 +-
pkg/cli/copilot_setup_test.go | 8 +-
.../example-blocked-domains.lock.yml | 438 ++++++++++--------
.../test-claude-playwright-screenshots.md | 2 +-
.../test-copilot-playwright-screenshots.md | 2 +-
pkg/parser/yaml_import.go | 2 +-
pkg/parser/yaml_import_copilot_setup_test.go | 2 +-
pkg/workflow/.github/aw/actions-lock.json | 5 +
pkg/workflow/schema_validation.go | 2 +-
pkg/workflow/test-yaml-import.lock.yml | 2 +-
scratchpad/actions.md | 10 +-
scratchpad/debugging-action-pinning.md | 4 +-
scratchpad/dev.md | 6 +-
.../github-actions-security-best-practices.md | 4 +-
scratchpad/pr-checkout-logic-explained.md | 4 +-
scratchpad/yaml-version-gotchas.md | 2 +-
scripts/README-conformance.md | 2 +-
specs/security-architecture-spec.md | 4 +-
44 files changed, 343 insertions(+), 280 deletions(-)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5816b4486eb..869927c9244 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,7 +21,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
@@ -246,7 +246,7 @@ jobs:
name: "Integration: ${{ matrix.test-group.name }}"
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
@@ -392,7 +392,7 @@ jobs:
contents: read
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: List all tests in codebase
run: |
@@ -446,7 +446,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
@@ -511,7 +511,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Node.js
id: setup-node
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
@@ -566,7 +566,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
@@ -656,7 +656,7 @@ jobs:
contents: read
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Check for ANSI escape sequences in YAML files
run: |
@@ -801,7 +801,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Node.js
id: setup-node
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
@@ -835,7 +835,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Node.js
id: setup-node
@@ -886,7 +886,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
@@ -961,7 +961,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0 # Fetch all history for incremental linting
@@ -1061,7 +1061,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Node.js
id: setup-node
@@ -1098,7 +1098,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
@@ -1192,7 +1192,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
@@ -1252,7 +1252,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
@@ -1377,7 +1377,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
@@ -1446,7 +1446,7 @@ jobs:
name: "Security Scan: ${{ matrix.tool.name }}"
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
@@ -1503,7 +1503,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
@@ -1602,7 +1602,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
@@ -1779,7 +1779,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
@@ -1901,7 +1901,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
@@ -2032,7 +2032,7 @@ jobs:
contents: read
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Run Safe Outputs Conformance Checker
id: conformance
@@ -2087,7 +2087,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
id: setup-go
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index b5af31d7153..ebe912d6e3e 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -22,7 +22,7 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Initialize CodeQL
uses: github/codeql-action/init@4248455a6f2335bc3b7a8a62932f000050ec8f13 # v3
diff --git a/.github/workflows/copilot-maintenance.yml b/.github/workflows/copilot-maintenance.yml
index 91dfe292888..b042d6e8d3f 100644
--- a/.github/workflows/copilot-maintenance.yml
+++ b/.github/workflows/copilot-maintenance.yml
@@ -26,7 +26,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# v4.2.2
with:
fetch-depth: 0 # Fetch all history for all branches
diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
index 0cc0ade0822..19a3a961512 100644
--- a/.github/workflows/copilot-setup-steps.yml
+++ b/.github/workflows/copilot-setup-steps.yml
@@ -16,7 +16,7 @@ jobs:
- name: Install gh-aw extension
run: curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Node.js
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
with:
diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml
index 640b045a20f..10e836dcdd3 100644
--- a/.github/workflows/daily-copilot-token-report.lock.yml
+++ b/.github/workflows/daily-copilot-token-report.lock.yml
@@ -280,7 +280,7 @@ jobs:
- name: Create gh-aw temp directory
run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 7990434b0e9..8a96f6eb108 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -48,7 +48,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Node.js
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
diff --git a/.github/workflows/format-and-commit.yml b/.github/workflows/format-and-commit.yml
index 6c337a56791..01bfd7ad33f 100644
--- a/.github/workflows/format-and-commit.yml
+++ b/.github/workflows/format-and-commit.yml
@@ -19,7 +19,7 @@ jobs:
exit 78
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
with:
diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml
index a9184eee4cc..c8e99fe13bf 100644
--- a/.github/workflows/hourly-ci-cleaner.lock.yml
+++ b/.github/workflows/hourly-ci-cleaner.lock.yml
@@ -27,7 +27,7 @@
# Imports:
# - ../agents/ci-cleaner.agent.md
#
-# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"5cac230b2f0f2fcc27828a9aaf4154331f9127efa96c20c52258a51dc5502be5"}
+# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"671a14d4b1a43ceb00db004fb0c5c4ba09d7ae14da6fd2703f3218a72d3d841f"}
name: "CI Cleaner"
"on":
@@ -1015,7 +1015,7 @@ jobs:
ci_status: ${{ steps.ci_check.outputs.ci_status }}
steps:
- name: Checkout repository
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 11bd71901bbe5b1630ceea73d27597364c9af683
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Check last CI workflow run status on main branch
diff --git a/.github/workflows/hourly-ci-cleaner.md b/.github/workflows/hourly-ci-cleaner.md
index 84f0b6323c0..6dac36d2a66 100644
--- a/.github/workflows/hourly-ci-cleaner.md
+++ b/.github/workflows/hourly-ci-cleaner.md
@@ -50,7 +50,7 @@ jobs:
ci_run_id: ${{ steps.ci_check.outputs.ci_run_id }}
steps:
- name: Checkout repository
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Check last CI workflow run status on main branch
diff --git a/.github/workflows/install.yml b/.github/workflows/install.yml
index a66b179097c..99c4d71e183 100644
--- a/.github/workflows/install.yml
+++ b/.github/workflows/install.yml
@@ -30,7 +30,7 @@ jobs:
- windows-latest
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Test install script detection logic
shell: bash
@@ -173,7 +173,7 @@ jobs:
issues: write
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Create issue on failure
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
diff --git a/.github/workflows/integration-agentics.yml b/.github/workflows/integration-agentics.yml
index 67b13e5dcfe..43694f92e5d 100644
--- a/.github/workflows/integration-agentics.yml
+++ b/.github/workflows/integration-agentics.yml
@@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml
index 79d8192e3e2..c0d5293f82f 100644
--- a/.github/workflows/license-check.yml
+++ b/.github/workflows/license-check.yml
@@ -15,7 +15,7 @@ jobs:
permissions:
contents: read
steps:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
diff --git a/.github/workflows/link-check.yml b/.github/workflows/link-check.yml
index 00c80326a38..98bdc97916a 100644
--- a/.github/workflows/link-check.yml
+++ b/.github/workflows/link-check.yml
@@ -29,7 +29,7 @@ jobs:
cancel-in-progress: true
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Check Markdown links in reports
uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 1c5ecc0a479..a7aa28a462a 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
@@ -45,7 +45,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
@@ -71,7 +71,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Run Trivy filesystem scan
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
diff --git a/.github/workflows/shared/mcp-debug.md b/.github/workflows/shared/mcp-debug.md
index dbbf8db7cd4..d8d460eb1c2 100644
--- a/.github/workflows/shared/mcp-debug.md
+++ b/.github/workflows/shared/mcp-debug.md
@@ -21,7 +21,7 @@ safe-outputs:
pull-requests: write
steps:
- name: Checkout repository
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
- name: Post diagnostic report to pull request
uses: actions/github-script@v8
with:
diff --git a/.github/workflows/vet.yml b/.github/workflows/vet.yml
index d62efbf127f..cec1b53ca52 100644
--- a/.github/workflows/vet.yml
+++ b/.github/workflows/vet.yml
@@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
- name: Run vet
id: vet
diff --git a/actions/setup-cli/README.md b/actions/setup-cli/README.md
index e42e555e1c7..c9106ec7155 100644
--- a/actions/setup-cli/README.md
+++ b/actions/setup-cli/README.md
@@ -33,7 +33,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
- name: Install gh-aw
uses: github/gh-aw/actions/setup-cli@main
diff --git a/actions/setup/README.md b/actions/setup/README.md
index 238cc7dd7b4..7adac3541e4 100644
--- a/actions/setup/README.md
+++ b/actions/setup/README.md
@@ -41,7 +41,7 @@ The number of files copied to the destination directory (should be 124: 117 Java
```yaml
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v6
with:
sparse-checkout: |
actions
diff --git a/docs/src/content/docs/examples/multi-repo.md b/docs/src/content/docs/examples/multi-repo.md
index b06e2bd4ea3..7618bcc2d87 100644
--- a/docs/src/content/docs/examples/multi-repo.md
+++ b/docs/src/content/docs/examples/multi-repo.md
@@ -133,12 +133,12 @@ engine:
id: claude
steps:
- name: Checkout main repo
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
with:
path: main-repo
- name: Checkout secondary repo
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
with:
repository: org/secondary-repo
token: ${{ secrets.GH_AW_CROSS_REPO_PAT }}
diff --git a/docs/src/content/docs/guides/deterministic-agentic-patterns.md b/docs/src/content/docs/guides/deterministic-agentic-patterns.md
index 65991d3d543..3423279e322 100644
--- a/docs/src/content/docs/guides/deterministic-agentic-patterns.md
+++ b/docs/src/content/docs/guides/deterministic-agentic-patterns.md
@@ -75,7 +75,7 @@ jobs:
run-analysis:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v6
- run: ./gh-aw compile --zizmor --poutine > /tmp/gh-aw/agent/analysis.txt
steps:
diff --git a/docs/src/content/docs/guides/github-actions-primer.md b/docs/src/content/docs/guides/github-actions-primer.md
index d8eb70e42c3..164b9ec25db 100644
--- a/docs/src/content/docs/guides/github-actions-primer.md
+++ b/docs/src/content/docs/guides/github-actions-primer.md
@@ -27,7 +27,7 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@v6
- name: Run tests
run: npm test
```
@@ -41,14 +41,14 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@v6
- run: npm run build
test:
needs: build
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@v6
- run: npm test
```
@@ -59,7 +59,7 @@ jobs:
```yaml
steps:
# Action step - uses a pre-built action
- - uses: actions/checkout@v4
+ - uses: actions/checkout@v6
# Run step - executes a shell command
- name: Install dependencies
diff --git a/docs/src/content/docs/patterns/multi-repo-ops.md b/docs/src/content/docs/patterns/multi-repo-ops.md
index 4b69cea7981..0ebf5a5d514 100644
--- a/docs/src/content/docs/patterns/multi-repo-ops.md
+++ b/docs/src/content/docs/patterns/multi-repo-ops.md
@@ -168,12 +168,12 @@ engine:
steps:
- name: Checkout main repo
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
with:
path: main-repo
- name: Checkout secondary repo
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
with:
repository: org/secondary-repo
token: ${{ secrets.GH_AW_CROSS_REPO_PAT }}
diff --git a/docs/src/content/docs/patterns/trial-ops.md b/docs/src/content/docs/patterns/trial-ops.md
index 9e44a7a9562..bb1d83c2ed5 100644
--- a/docs/src/content/docs/patterns/trial-ops.md
+++ b/docs/src/content/docs/patterns/trial-ops.md
@@ -240,7 +240,7 @@ jobs:
trial:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v6
- name: Install gh-aw
run: gh extension install github/gh-aw
- name: Trial workflow
diff --git a/docs/src/content/docs/reference/compilation-process.md b/docs/src/content/docs/reference/compilation-process.md
index 682cc24f13a..5c879d62b34 100644
--- a/docs/src/content/docs/reference/compilation-process.md
+++ b/docs/src/content/docs/reference/compilation-process.md
@@ -96,7 +96,7 @@ All GitHub Actions are pinned to commit SHAs for security:
1. Check action cache for cached resolution
2. Try dynamic resolution via GitHub API
3. Fall back to embedded action pins data
-4. Add version comment (e.g., `actions/checkout@sha # v4`)
+4. Add version comment (e.g., `actions/checkout@sha # v6`)
### Phase 5: YAML Generation
@@ -271,7 +271,7 @@ This artifact-based handoff ensures the detection job cannot be influenced by th
## Action Pinning
-All GitHub Actions are pinned to commit SHAs (e.g., `actions/checkout@b4ffde6...11 # v4`) to prevent supply chain attacks and ensure reproducibility. Tags can be moved to malicious commits, but SHA commits are immutable.
+All GitHub Actions are pinned to commit SHAs (e.g., `actions/checkout@b4ffde6...11 # v6`) to prevent supply chain attacks and ensure reproducibility. Tags can be moved to malicious commits, but SHA commits are immutable.
**Resolution process**: Check cache (`.github/aw/actions-lock.json`) → Query GitHub API for latest SHA → Fall back to embedded pins → Cache result for future compilations. Dynamic resolution fetches current SHAs for tag references and stores them with timestamps.
diff --git a/docs/src/content/docs/reference/cross-repository.md b/docs/src/content/docs/reference/cross-repository.md
index a291d5db8cb..18620ce0bd9 100644
--- a/docs/src/content/docs/reference/cross-repository.md
+++ b/docs/src/content/docs/reference/cross-repository.md
@@ -213,12 +213,12 @@ engine:
steps:
- name: Checkout main repo
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
with:
path: main-repo
- name: Checkout secondary repo
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
with:
repository: org/secondary-repo
token: ${{ secrets.CROSS_REPO_PAT }}
diff --git a/docs/src/content/docs/reference/frontmatter.md b/docs/src/content/docs/reference/frontmatter.md
index fa2f9b2fd8b..0a8108a6d30 100644
--- a/docs/src/content/docs/reference/frontmatter.md
+++ b/docs/src/content/docs/reference/frontmatter.md
@@ -632,7 +632,7 @@ jobs:
super_linter:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v6
- name: Run Super-Linter
uses: super-linter/super-linter@v7
env:
diff --git a/pkg/cli/copilot_setup.go b/pkg/cli/copilot_setup.go
index 41a81b24dec..e936b9de7c5 100644
--- a/pkg/cli/copilot_setup.go
+++ b/pkg/cli/copilot_setup.go
@@ -50,7 +50,7 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
- name: Install gh-aw extension
uses: github/gh-aw/actions/setup-cli%s
with:
@@ -257,7 +257,7 @@ func renderCopilotSetupUpdateInstructions(filePath string, actionMode workflow.A
if actionMode.IsRelease() {
fmt.Fprintln(os.Stderr, " - name: Checkout repository")
- fmt.Fprintln(os.Stderr, " uses: actions/checkout@v4")
+ fmt.Fprintln(os.Stderr, " uses: actions/checkout@v6")
fmt.Fprintf(os.Stderr, " - name: Install gh-aw extension\n")
fmt.Fprintf(os.Stderr, " uses: github/gh-aw/actions/setup-cli%s\n", actionRef)
fmt.Fprintln(os.Stderr, " with:")
@@ -327,7 +327,7 @@ func injectExtensionInstallStep(workflow *Workflow, actionMode workflow.ActionMo
// In release mode, use the actions/setup-cli action
checkoutStep = CopilotWorkflowStep{
Name: "Checkout repository",
- Uses: "actions/checkout@v4",
+ Uses: "actions/checkout@v6",
}
installStep = CopilotWorkflowStep{
Name: "Install gh-aw extension",
diff --git a/pkg/cli/copilot_setup_test.go b/pkg/cli/copilot_setup_test.go
index 39e9c9b4bc7..a064fa16001 100644
--- a/pkg/cli/copilot_setup_test.go
+++ b/pkg/cli/copilot_setup_test.go
@@ -558,7 +558,7 @@ func TestEnsureCopilotSetupSteps_ReleaseMode(t *testing.T) {
}
// Verify it has checkout step
- if !strings.Contains(contentStr, "actions/checkout@v4") {
+ if !strings.Contains(contentStr, "actions/checkout@v6") {
t.Error("Expected copilot-setup-steps.yml to have checkout step in release mode")
}
@@ -647,7 +647,7 @@ func TestEnsureCopilotSetupSteps_CreateWithReleaseMode(t *testing.T) {
if !strings.Contains(contentStr, "version: v2.0.0") {
t.Errorf("Expected version parameter v2.0.0, got:\n%s", contentStr)
}
- if !strings.Contains(contentStr, "actions/checkout@v4") {
+ if !strings.Contains(contentStr, "actions/checkout@v6") {
t.Errorf("Expected checkout step in release mode")
}
}
@@ -968,8 +968,8 @@ func TestInjectExtensionInstallStep_ReleaseMode(t *testing.T) {
if job.Steps[0].Name != "Checkout repository" {
t.Errorf("First step should be checkout, got: %s", job.Steps[0].Name)
}
- if job.Steps[0].Uses != "actions/checkout@v4" {
- t.Errorf("Checkout should use actions/checkout@v4, got: %s", job.Steps[0].Uses)
+ if job.Steps[0].Uses != "actions/checkout@v6" {
+ t.Errorf("Checkout should use actions/checkout@v6, got: %s", job.Steps[0].Uses)
}
// Verify install step
diff --git a/pkg/cli/workflows/example-blocked-domains.lock.yml b/pkg/cli/workflows/example-blocked-domains.lock.yml
index 219279676c8..f5d0a05db7b 100644
--- a/pkg/cli/workflows/example-blocked-domains.lock.yml
+++ b/pkg/cli/workflows/example-blocked-domains.lock.yml
@@ -17,10 +17,12 @@
#
# To update this file, edit the corresponding .md file and run:
# gh aw compile
-# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md
+# Not all edits will cause changes to this file.
#
+# For more information: https://github.github.com/gh-aw/introduction/overview/
#
-# frontmatter-hash: 80100e1eccadf076c6f02412860f8dfb229e60d1753790630cb4589468eee780
+#
+# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"80100e1eccadf076c6f02412860f8dfb229e60d1753790630cb4589468eee780"}
name: "Example: Blocked Domains"
"on":
@@ -41,9 +43,10 @@ jobs:
outputs:
comment_id: ""
comment_repo: ""
+ secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
steps:
- name: Checkout actions folder
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
sparse-checkout: |
actions
@@ -52,8 +55,29 @@ jobs:
uses: ./actions/setup
with:
destination: /opt/gh-aw/actions
+ - name: Validate COPILOT_GITHUB_TOKEN secret
+ id: validate-secret
+ run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
+ env:
+ COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+ - name: Validate context variables
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ with:
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/validate_context_variables.cjs');
+ await main();
+ - name: Checkout .github and .agents folders
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ sparse-checkout: |
+ .github
+ .agents
+ fetch-depth: 1
+ persist-credentials: false
- name: Check workflow file timestamps
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env:
GH_AW_WORKFLOW_FILE: "example-blocked-domains.lock.yml"
with:
@@ -62,21 +86,135 @@ jobs:
setupGlobals(core, github, context, exec, io);
const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs');
await main();
+ - name: Create prompt with built-in context
+ env:
+ GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+ GH_AW_GITHUB_ACTOR: ${{ github.actor }}
+ GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
+ GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
+ GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
+ GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
+ GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
+ GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
+ GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
+ run: |
+ bash /opt/gh-aw/actions/create_prompt_first.sh
+ {
+ cat << 'GH_AW_PROMPT_EOF'
+
+ GH_AW_PROMPT_EOF
+ cat "/opt/gh-aw/prompts/xpia.md"
+ cat "/opt/gh-aw/prompts/temp_folder_prompt.md"
+ cat "/opt/gh-aw/prompts/markdown.md"
+ cat << 'GH_AW_PROMPT_EOF'
+
+ The following GitHub context information is available for this workflow:
+ {{#if __GH_AW_GITHUB_ACTOR__ }}
+ - **actor**: __GH_AW_GITHUB_ACTOR__
+ {{/if}}
+ {{#if __GH_AW_GITHUB_REPOSITORY__ }}
+ - **repository**: __GH_AW_GITHUB_REPOSITORY__
+ {{/if}}
+ {{#if __GH_AW_GITHUB_WORKSPACE__ }}
+ - **workspace**: __GH_AW_GITHUB_WORKSPACE__
+ {{/if}}
+ {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }}
+ - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__
+ {{/if}}
+ {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }}
+ - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__
+ {{/if}}
+ {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }}
+ - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__
+ {{/if}}
+ {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }}
+ - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__
+ {{/if}}
+ {{#if __GH_AW_GITHUB_RUN_ID__ }}
+ - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
+ {{/if}}
+
+
+ GH_AW_PROMPT_EOF
+ cat << 'GH_AW_PROMPT_EOF'
+
+ GH_AW_PROMPT_EOF
+ cat << 'GH_AW_PROMPT_EOF'
+ {{#runtime-import example-blocked-domains.md}}
+ GH_AW_PROMPT_EOF
+ } > "$GH_AW_PROMPT"
+ - name: Interpolate variables and render templates
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+ with:
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+ const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs');
+ await main();
+ - name: Substitute placeholders
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+ GH_AW_GITHUB_ACTOR: ${{ github.actor }}
+ GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
+ GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
+ GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
+ GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
+ GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
+ GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
+ GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
+ with:
+ script: |
+ const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+ setupGlobals(core, github, context, exec, io);
+
+ const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
+
+ // Call the substitution function
+ return await substitutePlaceholders({
+ file: process.env.GH_AW_PROMPT,
+ substitutions: {
+ GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR,
+ GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID,
+ GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER,
+ GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER,
+ GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER,
+ GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY,
+ GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID,
+ GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE
+ }
+ });
+ - name: Validate prompt placeholders
+ env:
+ GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+ run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh
+ - name: Print prompt
+ env:
+ GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+ run: bash /opt/gh-aw/actions/print_prompt_summary.sh
+ - name: Upload prompt artifact
+ if: success()
+ uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+ with:
+ name: prompt
+ path: /tmp/gh-aw/aw-prompts/prompt.txt
+ retention-days: 1
agent:
needs: activation
runs-on: ubuntu-latest
permissions:
contents: read
- concurrency:
- group: "gh-aw-copilot-${{ github.workflow }}"
+ env:
+ GH_AW_WORKFLOW_ID_SANITIZED: exampleblockeddomains
outputs:
checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}
model: ${{ steps.generate_aw_info.outputs.model }}
- secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
steps:
- name: Checkout actions folder
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
sparse-checkout: |
actions
@@ -86,7 +224,7 @@ jobs:
with:
destination: /opt/gh-aw/actions
- name: Checkout repository
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Create gh-aw temp directory
@@ -98,6 +236,7 @@ jobs:
run: |
git config --global user.email "github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
+ git config --global am.keepcr true
# Re-authenticate git with GitHub token
SERVER_URL_STRIPPED="${SERVER_URL#https://}"
git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
@@ -105,8 +244,8 @@ jobs:
- name: Checkout PR branch
id: checkout-pr
if: |
- github.event.pull_request
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+ (github.event.pull_request) || (github.event.issue.pull_request)
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env:
GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
with:
@@ -116,28 +255,66 @@ jobs:
setupGlobals(core, github, context, exec, io);
const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs');
await main();
- - name: Validate COPILOT_GITHUB_TOKEN secret
- id: validate-secret
- run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
- env:
- COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+ - name: Generate agentic run info
+ id: generate_aw_info
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ with:
+ script: |
+ const fs = require('fs');
+
+ const awInfo = {
+ engine_id: "copilot",
+ engine_name: "GitHub Copilot CLI",
+ model: process.env.GH_AW_MODEL_AGENT_COPILOT || "",
+ version: "",
+ agent_version: "0.0.418",
+ workflow_name: "Example: Blocked Domains",
+ experimental: false,
+ supports_tools_allowlist: true,
+ run_id: context.runId,
+ run_number: context.runNumber,
+ run_attempt: process.env.GITHUB_RUN_ATTEMPT,
+ repository: context.repo.owner + '/' + context.repo.repo,
+ ref: context.ref,
+ sha: context.sha,
+ actor: context.actor,
+ event_name: context.eventName,
+ staged: false,
+ allowed_domains: ["defaults","github","node"],
+ firewall_enabled: true,
+ awf_version: "v0.23.0",
+ awmg_version: "v0.1.5",
+ steps: {
+ firewall: "squid"
+ },
+ created_at: new Date().toISOString()
+ };
+
+ // Write to /tmp/gh-aw directory to avoid inclusion in PR
+ const tmpPath = '/tmp/gh-aw/aw_info.json';
+ fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
+ console.log('Generated aw_info.json at:', tmpPath);
+ console.log(JSON.stringify(awInfo, null, 2));
+
+ // Set model as output for reuse in other steps/jobs
+ core.setOutput('model', awInfo.model);
- name: Install GitHub Copilot CLI
- run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402
+ run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.418
- name: Install awf binary
- run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1
- - name: Determine automatic lockdown mode for GitHub MCP server
+ run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.23.0
+ - name: Determine automatic lockdown mode for GitHub MCP Server
id: determine-automatic-lockdown
- env:
- TOKEN_CHECK: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
- if: env.TOKEN_CHECK != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ env:
+ GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
+ GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
with:
script: |
const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- name: Download container images
- run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.31.0
- - name: Start MCP gateway
+ run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.5 ghcr.io/github/github-mcp-server:v0.31.0
+ - name: Start MCP Gateway
id: start-mcp-gateway
env:
GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }}
@@ -149,18 +326,18 @@ jobs:
# Export gateway environment variables for MCP config and gateway script
export MCP_GATEWAY_PORT="80"
export MCP_GATEWAY_DOMAIN="host.docker.internal"
- MCP_GATEWAY_API_KEY=""
MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
+ echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export MCP_GATEWAY_API_KEY
+ export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads"
+ mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}"
export DEBUG="*"
- # Register API key as secret to mask it from logs
- echo "::add-mask::${MCP_GATEWAY_API_KEY}"
export GH_AW_ENGINE="copilot"
- export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.0.98'
+ export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.5'
mkdir -p /home/runner/.copilot
- cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
+ cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh
{
"mcpServers": {
"github": {
@@ -177,184 +354,59 @@ jobs:
"gateway": {
"port": $MCP_GATEWAY_PORT,
"domain": "${MCP_GATEWAY_DOMAIN}",
- "apiKey": "${MCP_GATEWAY_API_KEY}"
+ "apiKey": "${MCP_GATEWAY_API_KEY}",
+ "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
}
}
- MCPCONFIG_EOF
- - name: Generate agentic run info
- id: generate_aw_info
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
- with:
- script: |
- const fs = require('fs');
-
- const awInfo = {
- engine_id: "copilot",
- engine_name: "GitHub Copilot CLI",
- model: process.env.GH_AW_MODEL_AGENT_COPILOT || "",
- version: "",
- agent_version: "0.0.402",
- workflow_name: "Example: Blocked Domains",
- experimental: false,
- supports_tools_allowlist: true,
- supports_http_transport: true,
- run_id: context.runId,
- run_number: context.runNumber,
- run_attempt: process.env.GITHUB_RUN_ATTEMPT,
- repository: context.repo.owner + '/' + context.repo.repo,
- ref: context.ref,
- sha: context.sha,
- actor: context.actor,
- event_name: context.eventName,
- staged: false,
- allowed_domains: ["defaults","github","node"],
- firewall_enabled: true,
- awf_version: "v0.13.1",
- awmg_version: "v0.0.98",
- steps: {
- firewall: "squid"
- },
- created_at: new Date().toISOString()
- };
-
- // Write to /tmp/gh-aw directory to avoid inclusion in PR
- const tmpPath = '/tmp/gh-aw/aw_info.json';
- fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
- console.log('Generated aw_info.json at:', tmpPath);
- console.log(JSON.stringify(awInfo, null, 2));
-
- // Set model as output for reuse in other steps/jobs
- core.setOutput('model', awInfo.model);
+ GH_AW_MCP_CONFIG_EOF
- name: Generate workflow overview
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
with:
script: |
const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs');
await generateWorkflowOverview(core);
- - name: Create prompt with built-in context
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_GITHUB_ACTOR: ${{ github.actor }}
- GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
- GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
- GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
- GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
- GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
- GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
- GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
- run: |
- bash /opt/gh-aw/actions/create_prompt_first.sh
- cat << 'PROMPT_EOF' > "$GH_AW_PROMPT"
-
- PROMPT_EOF
- cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT"
- cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT"
- cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
-
- The following GitHub context information is available for this workflow:
- {{#if __GH_AW_GITHUB_ACTOR__ }}
- - **actor**: __GH_AW_GITHUB_ACTOR__
- {{/if}}
- {{#if __GH_AW_GITHUB_REPOSITORY__ }}
- - **repository**: __GH_AW_GITHUB_REPOSITORY__
- {{/if}}
- {{#if __GH_AW_GITHUB_WORKSPACE__ }}
- - **workspace**: __GH_AW_GITHUB_WORKSPACE__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }}
- - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }}
- - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }}
- - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }}
- - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__
- {{/if}}
- {{#if __GH_AW_GITHUB_RUN_ID__ }}
- - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
- {{/if}}
-
-
- PROMPT_EOF
- cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
-
- PROMPT_EOF
- cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT"
- {{#runtime-import example-blocked-domains.md}}
- PROMPT_EOF
- - name: Substitute placeholders
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_GITHUB_ACTOR: ${{ github.actor }}
- GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
- GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
- GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
- GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
- GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
- GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
- GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
+ - name: Download prompt artifact
+ uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
with:
- script: |
- const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs');
-
- // Call the substitution function
- return await substitutePlaceholders({
- file: process.env.GH_AW_PROMPT,
- substitutions: {
- GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR,
- GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID,
- GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER,
- GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER,
- GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER,
- GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY,
- GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID,
- GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE
- }
- });
- - name: Interpolate variables and render templates
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- with:
- script: |
- const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs');
- await main();
- - name: Validate prompt placeholders
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh
- - name: Print prompt
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- run: bash /opt/gh-aw/actions/print_prompt_summary.sh
+ name: prompt
+ path: /tmp/gh-aw/aw-prompts
+ - name: Clean git credentials
+ run: bash /opt/gh-aw/actions/clean_git_credentials.sh
- name: Execute GitHub Copilot CLI
id: agentic_execution
# Copilot CLI tool arguments (sorted):
timeout-minutes: 20
run: |
set -o pipefail
- GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS
- mkdir -p "$HOME/.cache"
- sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --block-domains analytics.example.com,tracker.example.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \
- -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"}' \
- 2>&1 | tee /tmp/gh-aw/agent-stdio.log
+ # shellcheck disable=SC1003
+ sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,esm.sh,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,googleapis.deno.dev,googlechromelabs.github.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,storage.googleapis.com,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" --block-domains "analytics.example.com,tracker.example.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.23.0 --skip-pull --enable-api-proxy \
+ -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
env:
COPILOT_AGENT_RUNNER_TYPE: STANDALONE
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
GH_AW_MODEL_DETECTION_COPILOT: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }}
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
+ GITHUB_API_URL: ${{ github.api_url }}
GITHUB_HEAD_REF: ${{ github.head_ref }}
+ GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
GITHUB_REF_NAME: ${{ github.ref_name }}
+ GITHUB_SERVER_URL: ${{ github.server_url }}
GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
GITHUB_WORKSPACE: ${{ github.workspace }}
XDG_CONFIG_HOME: /home/runner
+ - name: Configure Git credentials
+ env:
+ REPO_NAME: ${{ github.repository }}
+ SERVER_URL: ${{ github.server_url }}
+ run: |
+ git config --global user.email "github-actions[bot]@users.noreply.github.com"
+ git config --global user.name "github-actions[bot]"
+ git config --global am.keepcr true
+ # Re-authenticate git with GitHub token
+ SERVER_URL_STRIPPED="${SERVER_URL#https://}"
+ git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
+ echo "Git configured with standard GitHub Actions identity"
- name: Copy Copilot session state files to logs
if: always()
continue-on-error: true
@@ -372,7 +424,7 @@ jobs:
else
echo "No session-state directory found at $SESSION_STATE_DIR"
fi
- - name: Stop MCP gateway
+ - name: Stop MCP Gateway
if: always()
continue-on-error: true
env:
@@ -383,7 +435,7 @@ jobs:
bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID"
- name: Redact secrets in logs
if: always()
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
with:
script: |
const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
@@ -397,7 +449,7 @@ jobs:
SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload engine output files
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+ uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: agent_outputs
path: |
@@ -406,7 +458,7 @@ jobs:
if-no-files-found: ignore
- name: Parse agent logs for step summary
if: always()
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env:
GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/
with:
@@ -415,9 +467,9 @@ jobs:
setupGlobals(core, github, context, exec, io);
const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs');
await main();
- - name: Parse MCP gateway logs for step summary
+ - name: Parse MCP Gateway logs for step summary
if: always()
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
with:
script: |
const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
@@ -433,11 +485,16 @@ jobs:
# Fix permissions on firewall logs so they can be uploaded as artifacts
# AWF runs with sudo, creating files owned by root
sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true
- awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"
+ # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
+ if command -v awf &> /dev/null; then
+ awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"
+ else
+ echo 'AWF binary not installed, skipping firewall log summary'
+ fi
- name: Upload agent artifacts
if: always()
continue-on-error: true
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+ uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: agent-artifacts
path: |
@@ -446,5 +503,6 @@ jobs:
/tmp/gh-aw/mcp-logs/
/tmp/gh-aw/sandbox/firewall/logs/
/tmp/gh-aw/agent-stdio.log
+ /tmp/gh-aw/agent/
if-no-files-found: ignore
diff --git a/pkg/cli/workflows/test-claude-playwright-screenshots.md b/pkg/cli/workflows/test-claude-playwright-screenshots.md
index d6e5f4612d2..ec8e258576c 100644
--- a/pkg/cli/workflows/test-claude-playwright-screenshots.md
+++ b/pkg/cli/workflows/test-claude-playwright-screenshots.md
@@ -30,7 +30,7 @@ tools:
- "mv *"
steps:
- name: Checkout repository
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
diff --git a/pkg/cli/workflows/test-copilot-playwright-screenshots.md b/pkg/cli/workflows/test-copilot-playwright-screenshots.md
index fe4be9d0294..8b4ffd53b02 100644
--- a/pkg/cli/workflows/test-copilot-playwright-screenshots.md
+++ b/pkg/cli/workflows/test-copilot-playwright-screenshots.md
@@ -29,7 +29,7 @@ tools:
- "mv *"
steps:
- name: Checkout repository
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
diff --git a/pkg/parser/yaml_import.go b/pkg/parser/yaml_import.go
index 4dc31fbd88e..7f1d7af347b 100644
--- a/pkg/parser/yaml_import.go
+++ b/pkg/parser/yaml_import.go
@@ -259,7 +259,7 @@ func ensureCheckoutStepFirst(steps []any) []any {
yamlImportLog.Print("No checkout step found in copilot-setup-steps, adding default checkout step at beginning")
defaultCheckoutStep := map[string]any{
"name": "Checkout code",
- "uses": "actions/checkout@v4",
+ "uses": "actions/checkout@v6",
}
steps = append([]any{defaultCheckoutStep}, steps...)
return steps
diff --git a/pkg/parser/yaml_import_copilot_setup_test.go b/pkg/parser/yaml_import_copilot_setup_test.go
index 8117a397b21..e2c4c1068f3 100644
--- a/pkg/parser/yaml_import_copilot_setup_test.go
+++ b/pkg/parser/yaml_import_copilot_setup_test.go
@@ -228,7 +228,7 @@ func TestExtractStepsFromCopilotSetup_AddsCheckoutIfMissing(t *testing.T) {
// Verify checkout step was added
assert.Contains(t, stepsYAML, "Checkout code", "Should contain added checkout step")
- assert.Contains(t, stepsYAML, "actions/checkout@v4", "Should contain checkout action")
+ assert.Contains(t, stepsYAML, "actions/checkout@v6", "Should contain checkout action")
// Verify checkout step is first
lines := strings.Split(stepsYAML, "\n")
diff --git a/pkg/workflow/.github/aw/actions-lock.json b/pkg/workflow/.github/aw/actions-lock.json
index 9bf1c5e6373..122faf0f798 100644
--- a/pkg/workflow/.github/aw/actions-lock.json
+++ b/pkg/workflow/.github/aw/actions-lock.json
@@ -15,6 +15,11 @@
"version": "v5",
"sha": "93cb6efe18208431cddfb8368fd83d5badbf9bfd"
},
+ "actions/checkout@v6": {
+ "repo": "actions/checkout",
+ "version": "v6.0.2",
+ "sha": "de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+ },
"actions/setup-node@v4": {
"repo": "actions/setup-node",
"version": "v4",
diff --git a/pkg/workflow/schema_validation.go b/pkg/workflow/schema_validation.go
index b5576598542..18468c0d9b8 100644
--- a/pkg/workflow/schema_validation.go
+++ b/pkg/workflow/schema_validation.go
@@ -167,7 +167,7 @@ func getFieldExample(fieldPath string, err error) string {
"concurrency": "Example: concurrency: production or concurrency:\\n group: ${{ github.workflow }}\\n cancel-in-progress: true",
"env": "Example: env:\\n NODE_ENV: production",
"tools": "Example: tools:\\n github:\\n allowed: [list_issues]",
- "steps": "Example: steps:\\n - name: Checkout\\n uses: actions/checkout@v4",
+ "steps": "Example: steps:\\n - name: Checkout\\n uses: actions/checkout@v6",
"jobs": "Example: jobs:\\n build:\\n runs-on: ubuntu-latest\\n steps:\\n - run: echo 'hello'",
"strategy": "Example: strategy:\\n matrix:\\n os: [ubuntu-latest, windows-latest]",
"container": "Example: container: node:20 or container:\\n image: node:20\\n options: --user root",
diff --git a/pkg/workflow/test-yaml-import.lock.yml b/pkg/workflow/test-yaml-import.lock.yml
index 008387467c1..217556df72f 100644
--- a/pkg/workflow/test-yaml-import.lock.yml
+++ b/pkg/workflow/test-yaml-import.lock.yml
@@ -465,7 +465,7 @@ jobs:
contents: read
steps:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 11bd71901bbe5b1630ceea73d27597364c9af683
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # 3041bf56c941b39c61721a86cd11f3bb1338122a
with:
go-version-file: go.mod
diff --git a/scratchpad/actions.md b/scratchpad/actions.md
index 025f839d8cb..89b449a682e 100644
--- a/scratchpad/actions.md
+++ b/scratchpad/actions.md
@@ -402,7 +402,7 @@ jobs:
my-job:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v6
- name: Setup Workflow Scripts
uses: ./actions/setup
@@ -491,7 +491,7 @@ actions-build:
needs: [lint]
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v6
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
@@ -745,7 +745,7 @@ Script mode implements direct shell script execution instead of using GitHub Act
**Checkout Step** (`generateCheckoutActionsFolder`):
```yaml
- name: Checkout actions folder
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
with:
repository: github/gh-aw
sparse-checkout: |
@@ -842,7 +842,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout actions folder
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
with:
sparse-checkout: |
actions
@@ -867,7 +867,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout actions folder
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
with:
repository: github/gh-aw
sparse-checkout: |
diff --git a/scratchpad/debugging-action-pinning.md b/scratchpad/debugging-action-pinning.md
index bcc33bd272f..4574b2b8b6c 100644
--- a/scratchpad/debugging-action-pinning.md
+++ b/scratchpad/debugging-action-pinning.md
@@ -288,9 +288,9 @@ Create a style guide for your team:
All workflow files must use full semantic versioning for actions:
-- ✅ `actions/checkout@v5.0.1`
+- ✅ `actions/checkout@v6.0.2`
- ✅ `actions/setup-node@v6.1.0`
-- ❌ `actions/checkout@v5`
+- ❌ `actions/checkout@v6`
- ❌ `actions/setup-node@v6`
```
diff --git a/scratchpad/dev.md b/scratchpad/dev.md
index f1ab3335d26..7d4a8c3c3a4 100644
--- a/scratchpad/dev.md
+++ b/scratchpad/dev.md
@@ -1202,10 +1202,10 @@ steps:
**Pinned Actions**:
```yaml
# ✅ Pin actions to SHA
-- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# ❌ Avoid unpinned versions
-- uses: actions/checkout@v3
+- uses: actions/checkout@v6
```
### Input Validation
@@ -1499,7 +1499,7 @@ sequenceDiagram
```yaml
# .github/workflows/common-setup.yml
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v6
- uses: actions/setup-go@v4
with:
go-version: '1.21'
diff --git a/scratchpad/github-actions-security-best-practices.md b/scratchpad/github-actions-security-best-practices.md
index 88555bb43a8..eadb1f35645 100644
--- a/scratchpad/github-actions-security-best-practices.md
+++ b/scratchpad/github-actions-security-best-practices.md
@@ -281,7 +281,7 @@ Supply chain attacks target dependencies in CI/CD pipelines. Secure your workflo
```yaml
# VULNERABLE: Tags and branches can be changed
steps:
- - uses: actions/checkout@v5 # Tag can be moved
+ - uses: actions/checkout@v6 # Tag can be moved
- uses: actions/setup-node@main # Branch can be updated
- uses: thirdparty/action@latest # Always points to latest
```
@@ -819,7 +819,7 @@ finding: artipacked
#### poutine Output
```yaml
[CRITICAL] Unpinned action at .github/workflows/ci.yml:10
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v6
- Recommendation: Pin to SHA
```
diff --git a/scratchpad/pr-checkout-logic-explained.md b/scratchpad/pr-checkout-logic-explained.md
index f2d9a567c36..83112389b98 100644
--- a/scratchpad/pr-checkout-logic-explained.md
+++ b/scratchpad/pr-checkout-logic-explained.md
@@ -355,14 +355,14 @@ jobs:
runs-on: ubuntu-latest
steps:
# This is SAFE - we're in base repo context
- - uses: actions/checkout@v4
+ - uses: actions/checkout@v6
# This adds a comment using base repo code (trusted)
- name: Add comment
run: gh pr comment ${{ github.event.pull_request.number }} --body "Labeled!"
# ❌ DANGEROUS - Never do this without validation
- # - uses: actions/checkout@v4
+ # - uses: actions/checkout@v6
# with:
# ref: ${{ github.event.pull_request.head.sha }}
# - run: npm install # Could execute malicious code from PR
diff --git a/scratchpad/yaml-version-gotchas.md b/scratchpad/yaml-version-gotchas.md
index 2520cda232e..5ccdcc70e8e 100644
--- a/scratchpad/yaml-version-gotchas.md
+++ b/scratchpad/yaml-version-gotchas.md
@@ -302,7 +302,7 @@ jobs:
validate:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v6
# Install gh-aw
- run: gh extension install github/gh-aw
diff --git a/scripts/README-conformance.md b/scripts/README-conformance.md
index 2f3b0ebed95..35d97d9ccda 100644
--- a/scripts/README-conformance.md
+++ b/scripts/README-conformance.md
@@ -118,7 +118,7 @@ jobs:
conformance:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@v6
- name: Run conformance checks
run: ./scripts/check-safe-outputs-conformance.sh
```
diff --git a/specs/security-architecture-spec.md b/specs/security-architecture-spec.md
index a94536bd4a5..a043bf5599b 100644
--- a/specs/security-architecture-spec.md
+++ b/specs/security-architecture-spec.md
@@ -1564,7 +1564,7 @@ strict: true
jobs:
test:
steps:
- - uses: actions/checkout@v4 # ❌ Blocked in strict mode
+ - uses: actions/checkout@v6 # ❌ Blocked in strict mode
```
**Error**: `strict mode requires actions to be pinned to commit SHA, not tag`
@@ -1639,7 +1639,7 @@ network:
**Don't**:
```yaml
-- uses: actions/checkout@v4
+- uses: actions/checkout@v6
- uses: actions/setup-node@main
```