Store safeinputs MCP server logs in artifact and add health endpoint

[Copilot]

SafeInputs MCP server logs were not being captured as artifacts, making debugging difficult. The audit command had no way to access server.log files from workflow runs.

Changes

• Added artifact upload for safeinputs logs (pkg/workflow/compiler_yaml.go)

  • New generateUploadSafeInputsLogs() function creates upload step for /tmp/gh-aw/safe-inputs/logs/
  • Artifact named "safeinputs", uploaded conditionally when IsSafeInputsEnabled() returns true
  • Follows same pattern as MCP logs upload

• Enhanced server.log initialization (pkg/workflow/sh/start_safe_inputs_server.sh)

  • Creates server.log with header (title, timestamp, separator) before server start
  • Changed redirection from > to >> to preserve header when appending server output
  • Ensures log file exists even if server produces no output

• Added GET /health endpoint (pkg/workflow/js/safe_inputs_mcp_server_http.cjs)

  • Returns JSON with server status, name, version, and tool count
  • Does not require authentication for health checks
  • Updated start script to use /health endpoint instead of root endpoint

• Added test for health endpoint (pkg/workflow/js/safe_inputs_mcp_server_http.test.cjs)

  • Validates health endpoint responds with correct JSON structure
  • Verifies status, server metadata, and tool count

• Recompiled workflows

  • All 98 workflows updated with new artifact upload step where safe-inputs enabled

Result

The audit command automatically downloads the "safeinputs" artifact via existing downloadRunArtifacts() logic. Server logs are now available in downloaded artifacts at safeinputs/server.log for debugging. The health endpoint provides a simple way to verify server is running without authentication.

Example in compiled workflow:

- name: Upload SafeInputs logs
  if: always()
  uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
  with:
    name: safeinputs
    path: /tmp/gh-aw/safe-inputs/logs/
    if-no-files-found: ignore

Original prompt

Store the safeinputs MCP server log in a safeinputs artifact.

Update logs/audit command to download server.log file.

Write the server.log file in starter shell script before starting server.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[pelikhan]

@copilot add GET /health endpoint using in the start safe inputs shell script. Update shell script to use /health.
Create server.log file before starting server.

[Copilot]

@copilot add GET /health endpoint using in the start safe inputs shell script. Update shell script to use /health.
Create server.log file before starting server.

Done in commit 09a66bd.

Added GET /health endpoint that returns:

{
  "status": "ok",
  "server": "safeinputs",
  "version": "1.0.0",
  "tools": <count>
}

Updated start script to use curl http://localhost:$PORT/health (no auth required) instead of root endpoint. Server.log file creation was already in place from previous commit.