Add push-to-orphaned-branch safe output type with SHA-based filenames, configurable branches, flexible validation, MCP compliance, file-based architecture, environment-driven paths, and robust configuration

[Copilot]

Implementing requested changes to push-to-orphaned-branch safe output type:

• Analyze current implementation and understand requirements
• Add SHA computation for file buffers in MCP server
• Use SHA as filename instead of timestamp + original filename
• Add "branch" field to configuration schema (workflow frontmatter)
• Update Go types to support branch configuration
• Change default branch name to "assets/${{ workflow id }}"
• Update JavaScript logic to use configurable branch name
• Include SHA in response URL
• Update tests for new functionality
• Run comprehensive testing and validation
• Use branch name instead of commit SHA in raw URLs
• Add expected URL template to MCP server response
• Add SHA validation in file upload process
• Add commit SHA to job outputs
• Add file size validation (10MB limit)
• Add file extension validation for security
• Enhance URL generation with repository context
• Add URL template to response structure
• Update file extension validation to allow up to 5 alphanumeric characters
• Remove unsupported url field from MCP response
• Update dev workflow with playwright tool and documentation workflow
• Implement file-based safe outputs architecture
• Move files to nested subdirectory and use environment variables
• Use environment variables instead of step outputs for consistent references
• Update filename to safe_outputs.jsonl and add environment variable validation

Environment Variable Consistency Updates

Improved Environment Variable Usage

• Consistent References: All engines now use ${{ env.GITHUB_AW_SAFE_OUTPUTS_DIR }} and ${{ env.GITHUB_AW_SAFE_OUTPUTS_FILES_DIR }} instead of step outputs
• MCP Server Configuration: Environment variables passed consistently to all MCP server configurations
• Artifact Upload: Upload path now uses environment variable reference instead of hardcoded path

Enhanced Configuration and Validation

Robust Environment Variable Validation

• MCP Server Startup: Added comprehensive validation for all required environment variables
• Fail-Fast Behavior: Server exits immediately with clear error messages if configuration is incomplete
• Required Variables: Validates GITHUB_AW_SAFE_OUTPUTS_CONFIG, GITHUB_AW_SAFE_OUTPUTS, GITHUB_AW_SAFE_OUTPUTS_DIR, and GITHUB_AW_SAFE_OUTPUTS_FILES_DIR

Improved File Naming Convention

• Consistent Naming: Changed from outputs.jsonl to safe_outputs.jsonl for better identification
• Clear Purpose: Filename now clearly indicates its role in safe outputs functionality
• Better Organization: Aligns with overall safe outputs naming convention throughout the codebase

Changes Made

Engine Environment Configuration

• Claude Engine: Updated to use ${{ env.GITHUB_AW_SAFE_OUTPUTS_DIR }} and ${{ env.GITHUB_AW_SAFE_OUTPUTS_FILES_DIR }}
• Custom Engine: Environment variables now reference env vars instead of step outputs
• Codex Engine: Consistent environment variable usage in both execution and MCP configuration

MCP Server Environment

• All Engines: MCP server configurations now use environment variable references
• Consistent Passing: Environment variables passed uniformly across all engine types
• Clean Configuration: No mixing of step outputs and environment variables
• Startup Validation: All required environment variables validated at server launch

Artifact Upload Path

• Compiler: Upload artifact step now uses ${{ env.GITHUB_AW_SAFE_OUTPUTS_DIR }} instead of hardcoded path
• Dynamic Path: Path resolution happens at runtime using environment variables
• Flexibility: Allows for different directory structures in testing and production

Benefits

Enhanced Reliability

• Environment Validation: Prevents runtime errors due to missing configuration
• Clear Error Messages: Specific error messages indicate which environment variables are missing
• Consistent State: Server only operates with complete configuration
• Early Detection: Configuration problems identified at startup

Consistency

• Uniform References: All path references use the same pattern (environment variables)
• No Mixed Approaches: Eliminates mixture of step outputs and environment variables
• Predictable Behavior: Same reference pattern across all engines and configurations
• Consistent Naming: Files clearly indicate their purpose

Maintainability

• Single Source of Truth: Environment variables set once in setup step, used everywhere
• Easy Updates: Changing paths only requires updating the setup step
• Clear Dependencies: Dependencies on setup step are explicit through environment variables
• Centralized Validation: All environment checks in one location

Testing

• Override Capability: Environment variables can be overridden for testing
• Isolation: Tests can use different paths without affecting setup step outputs
• Flexibility: Easier to test different directory configurations

Technical Implementation

Environment Variable Flow

1. Setup Step: core.exportVariable() sets environment variables for subsequent steps
2. Engine Configuration: All engines reference ${{ env.VARIABLE_NAME }}
3. MCP Servers: Environment variables passed to MCP server process environment with startup validation
4. Artifact Upload: Upload step uses environment variable for path resolution

Configuration Validation Pattern

// Validate required environment variables at startup
const safeOutputsDir = process.env.GITHUB_AW_SAFE_OUTPUTS_DIR;
if (!safeOutputsDir)
  throw new Error("GITHUB_AW_SAFE_OUTPUTS_DIR not set, no safe outputs directory");

Consistency Pattern

# Before (mixed approach)
GITHUB_AW_SAFE_OUTPUTS_DIR: ${{ steps.setup_agent_output.outputs.output_dir }}

# After (consistent approach)  
GITHUB_AW_SAFE_OUTPUTS_DIR: ${{ env.GITHUB_AW_SAFE_OUTPUTS_DIR }}

The implementation ensures all path references use environment variables consistently while providing robust configuration validation, better naming conventions, and improved error handling for a more reliable and maintainable system.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.contoso.com
  • Triggering command: /tmp/go-build1018698154/b279/cli.test -test.testlogfile=/tmp/go-build1018698154/b279/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)
  • Triggering command: /tmp/go-build3111078443/b279/cli.test -test.testlogfile=/tmp/go-build3111078443/b279/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

Can you use the branch instead of commit sha? @copilot

[Copilot]

Changed to use branch name instead of commit SHA in raw URLs in commit adbd59b. URLs now use the format https://raw.githubusercontent.com/{owner}/{repo}/{branch}/{filename} which provides more stable URLs that don't change with each commit.

[pelikhan]

Also return the rawUrl that will result to pushing this file to the branch. @copilot

[Copilot]

Added expected URL template to the MCP server response in commit adbd59b. The response now includes the URL format that will result from pushing the file, showing the branch configuration and SHA-based filename: https://raw.githubusercontent.com/{owner}/{repo}/{branch}/{sha-filename}

[pelikhan]

@copilot
Fail is sha is not equal to compute sha of file buffer

[Copilot]

Added SHA validation in commit b0bf19e. The upload process now computes the SHA256 of the file buffer and fails the workflow if it doesn't match the expected SHA from the agent output, ensuring file integrity.

[pelikhan]

@copilot

• enable playwright tool on dev agnetic workflow
• update prompt to build docs and take a screenshot and post it as an issue
• update description of new tool to tell LLM to use expected URL
• enable safe outputs to push to orphaned branch and create issue

[pelikhan]

@copilot

• allowed extension has up to 5 alpha-numerical characters.

[Copilot]

Updated file extension validation in commit c2b4746. Now allows any extension with up to 5 alphanumeric characters instead of a hardcoded allowlist, providing more flexibility while maintaining security.

[pelikhan]

@copilot remove url field, not supported in MCP

[Copilot]

Removed the unsupported url field from MCP response in commit c2b4746. The response now only includes the text content with expected URL information for MCP protocol compliance.

[Copilot]

@copilot

• enable playwright tool on dev agnetic workflow...

Updated dev workflow in commit c2b4746 to enable playwright tool, add safe outputs for push-to-orphaned-branch and create-issue, and updated the prompt to build docs, take screenshots, and create issues with guidance on using the expected URL from the upload response.

[pelikhan]

@copilot instead of bundling the file contents in the safe_outputs JSONL, copy the file to a known folder in a temp folder (/temp/aw/safe-outputs/) that will get uploaded as part of the safe outputs artifact. Use the sha-based filename.

• update the generated safe outputs file location to use this folder as well /tmp/gh-aw/safe-outputs/outputs.jsonl
• update the update_artifacts step to upload all files in that folder
• when processing the safe output, find the file in the unpacked artifact location, check the sha matches

[Copilot]

@copilot instead of bundling the file contents in the safe_outputs JSONL, copy the file to a known folder in a temp folder (/temp/aw/safe-outputs/) that will get uploaded as part of the safe outputs a...

Implemented file-based safe outputs architecture in commit 0577df8. Files are now copied to /tmp/gh-aw/safe-outputs/ with SHA-based filenames instead of being bundled in JSONL. The safe outputs file is now at /tmp/gh-aw/safe-outputs/outputs.jsonl, artifact upload includes the entire directory, and processing jobs read files from unpacked artifacts with SHA validation.

[pelikhan]

@copilot

• the folder of files for the safe output files should be in a nested su folder /tmp/gh-aw/safe-outputs/files
• use environment variable in JavaScript instead of hardcoding paths to allow for testing
• update compiler to generate the yaml code that passes the new environment variable

[Copilot]

@copilot

• the folder of files for the safe output files should be in a nested su folder /tmp/gh-aw/safe-outputs/files...

Implemented all requested changes in commit 7d2696f: Files are now stored in nested subdirectory /tmp/gh-aw/safe-outputs/files/, all JavaScript files use environment variables instead of hardcoded paths (GITHUB_AW_SAFE_OUTPUTS_FILES_DIR, GITHUB_AW_SAFE_OUTPUTS_DIR), and compiler now generates YAML that passes these environment variables to all engines (Claude, Custom, Codex) and MCP server configurations.

[pelikhan]

@copilot use env for value

[Copilot]

Updated to use environment variable reference in commit 6bd077d. Now uses ${{ env.GITHUB_AW_SAFE_OUTPUTS_FILES_DIR }} instead of step output reference for consistent environment variable usage across all engines.

[pelikhan]

Use the env variable that points to the directory

[Copilot]

Updated artifact upload path to use environment variable in commit 6bd077d. Now uses ${{ env.GITHUB_AW_SAFE_OUTPUTS_DIR }} instead of hardcoded path for dynamic path resolution.

[pelikhan]

@copilot add tests for new server tool