From eab1fbf4fca1e423e3d6197433f35e27219ae7b9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Dec 2025 16:39:52 +0000 Subject: [PATCH 1/3] Initial plan From 6f6d589106035c2543d3072898eba74f3c118e87 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Dec 2025 16:55:03 +0000 Subject: [PATCH 2/3] Add GH_DEBUG=1 env var to shared/gh.md safe-input tool Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/copilot-pr-merged-report.lock.yml | 8 ++++++-- .github/workflows/dev.lock.yml | 8 ++++++-- .github/workflows/shared/gh.md | 1 + .github/workflows/smoke-copilot-no-firewall.lock.yml | 8 ++++++-- .github/workflows/smoke-copilot-playwright.lock.yml | 8 ++++++-- .github/workflows/smoke-copilot-safe-inputs.lock.yml | 8 ++++++-- 6 files changed, 31 insertions(+), 10 deletions(-) diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 7a938366a6..9818008e49 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -3406,7 +3406,8 @@ jobs: }, "handler": "gh.sh", "env": { - "GH_AW_GH_TOKEN": "GH_AW_GH_TOKEN" + "GH_AW_GH_TOKEN": "GH_AW_GH_TOKEN", + "GH_DEBUG": "GH_DEBUG" }, "timeout": 60 } @@ -3449,6 +3450,7 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_DEBUG: 1 run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot @@ -3461,7 +3463,8 @@ jobs: "args": ["/tmp/gh-aw/safe-inputs/mcp-server.cjs"], "tools": ["*"], "env": { - "GH_AW_GH_TOKEN": "\${GH_AW_GH_TOKEN}" + "GH_AW_GH_TOKEN": "\${GH_AW_GH_TOKEN}", + "GH_DEBUG": "\${GH_DEBUG}" } }, "safeoutputs": { @@ -4243,6 +4246,7 @@ jobs: GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_DEBUG: 1 GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 254894a4af..03414d72ae 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -3103,7 +3103,8 @@ jobs: }, "handler": "gh.sh", "env": { - "GH_AW_GH_TOKEN": "GH_AW_GH_TOKEN" + "GH_AW_GH_TOKEN": "GH_AW_GH_TOKEN", + "GH_DEBUG": "GH_DEBUG" }, "timeout": 60 } @@ -3146,6 +3147,7 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_DEBUG: 1 run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot @@ -3158,7 +3160,8 @@ jobs: "args": ["/tmp/gh-aw/safe-inputs/mcp-server.cjs"], "tools": ["*"], "env": { - "GH_AW_GH_TOKEN": "\${GH_AW_GH_TOKEN}" + "GH_AW_GH_TOKEN": "\${GH_AW_GH_TOKEN}", + "GH_DEBUG": "\${GH_DEBUG}" } }, "safeoutputs": { @@ -3422,6 +3425,7 @@ jobs: GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_DEBUG: 1 GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} diff --git a/.github/workflows/shared/gh.md b/.github/workflows/shared/gh.md index d09adf4a5c..2e45ee234d 100644 --- a/.github/workflows/shared/gh.md +++ b/.github/workflows/shared/gh.md @@ -13,6 +13,7 @@ safe-inputs: required: true env: GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_DEBUG: "1" run: | echo "gh $INPUT_ARGS" echo " token: ${GH_AW_GH_TOKEN:0:6}..." diff --git a/.github/workflows/smoke-copilot-no-firewall.lock.yml b/.github/workflows/smoke-copilot-no-firewall.lock.yml index 7b925d8204..f4e71b6db0 100644 --- a/.github/workflows/smoke-copilot-no-firewall.lock.yml +++ b/.github/workflows/smoke-copilot-no-firewall.lock.yml @@ -5100,7 +5100,8 @@ jobs: }, "handler": "gh.sh", "env": { - "GH_AW_GH_TOKEN": "GH_AW_GH_TOKEN" + "GH_AW_GH_TOKEN": "GH_AW_GH_TOKEN", + "GH_DEBUG": "GH_DEBUG" }, "timeout": 60 } @@ -5144,6 +5145,7 @@ jobs: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_DEBUG: 1 run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot @@ -5182,7 +5184,8 @@ jobs: "args": ["/tmp/gh-aw/safe-inputs/mcp-server.cjs"], "tools": ["*"], "env": { - "GH_AW_GH_TOKEN": "\${GH_AW_GH_TOKEN}" + "GH_AW_GH_TOKEN": "\${GH_AW_GH_TOKEN}", + "GH_DEBUG": "\${GH_DEBUG}" } }, "safeoutputs": { @@ -5856,6 +5859,7 @@ jobs: GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_DEBUG: 1 GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} diff --git a/.github/workflows/smoke-copilot-playwright.lock.yml b/.github/workflows/smoke-copilot-playwright.lock.yml index 666b25ac9c..22077acbc2 100644 --- a/.github/workflows/smoke-copilot-playwright.lock.yml +++ b/.github/workflows/smoke-copilot-playwright.lock.yml @@ -5091,7 +5091,8 @@ jobs: }, "handler": "gh.sh", "env": { - "GH_AW_GH_TOKEN": "GH_AW_GH_TOKEN" + "GH_AW_GH_TOKEN": "GH_AW_GH_TOKEN", + "GH_DEBUG": "GH_DEBUG" }, "timeout": 60 } @@ -5135,6 +5136,7 @@ jobs: GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_DEBUG: 1 run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot @@ -5173,7 +5175,8 @@ jobs: "args": ["/tmp/gh-aw/safe-inputs/mcp-server.cjs"], "tools": ["*"], "env": { - "GH_AW_GH_TOKEN": "\${GH_AW_GH_TOKEN}" + "GH_AW_GH_TOKEN": "\${GH_AW_GH_TOKEN}", + "GH_DEBUG": "\${GH_DEBUG}" } }, "safeoutputs": { @@ -5836,6 +5839,7 @@ jobs: GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_DEBUG: 1 GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} diff --git a/.github/workflows/smoke-copilot-safe-inputs.lock.yml b/.github/workflows/smoke-copilot-safe-inputs.lock.yml index e5840e7e54..bc51af6af3 100644 --- a/.github/workflows/smoke-copilot-safe-inputs.lock.yml +++ b/.github/workflows/smoke-copilot-safe-inputs.lock.yml @@ -4996,7 +4996,8 @@ jobs: }, "handler": "gh.sh", "env": { - "GH_AW_GH_TOKEN": "GH_AW_GH_TOKEN" + "GH_AW_GH_TOKEN": "GH_AW_GH_TOKEN", + "GH_DEBUG": "GH_DEBUG" }, "timeout": 60 } @@ -5039,6 +5040,7 @@ jobs: env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_DEBUG: 1 run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot @@ -5051,7 +5053,8 @@ jobs: "args": ["/tmp/gh-aw/safe-inputs/mcp-server.cjs"], "tools": ["*"], "env": { - "GH_AW_GH_TOKEN": "\${GH_AW_GH_TOKEN}" + "GH_AW_GH_TOKEN": "\${GH_AW_GH_TOKEN}", + "GH_DEBUG": "\${GH_DEBUG}" } }, "safeoutputs": { @@ -5562,6 +5565,7 @@ jobs: GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_DEBUG: 1 GITHUB_HEAD_REF: ${{ github.head_ref }} GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} From 278b215fcba45a41bf43c7ade53b8ca6432e74f1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 11 Dec 2025 16:58:22 +0000 Subject: [PATCH 3/3] Add changeset [skip-ci] --- .changeset/patch-add-gh-debug-env.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .changeset/patch-add-gh-debug-env.md diff --git a/.changeset/patch-add-gh-debug-env.md b/.changeset/patch-add-gh-debug-env.md new file mode 100644 index 0000000000..35af7e9f15 --- /dev/null +++ b/.changeset/patch-add-gh-debug-env.md @@ -0,0 +1,11 @@ +--- +"gh-aw": patch +--- + +Add `GH_DEBUG=1` to the shared `gh` safe-input tool configuration so +that `gh` commands executed via the `safeinputs-gh` tool run with +verbose debugging enabled. + +This is an internal/tooling change that affects workflow execution +verbosity only. +