From c6968468a85d7fd6356f60b26f07a378e0046b23 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 20 Feb 2026 09:51:44 +0000 Subject: [PATCH 1/2] Initial plan From 4630ea6be9a40198ea4852351400315f1c679500 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 20 Feb 2026 09:59:49 +0000 Subject: [PATCH 2/2] Address review comments: fix duplicate title prefixes, label gates, security restrictions, and Docker image pinning Co-authored-by: zircote <307960+zircote@users.noreply.github.com> --- .github/workflows/eov-enrichment.lock.yml | 6 ++++++ .github/workflows/eov-seasonal-reminder.lock.yml | 2 +- .github/workflows/eov-seasonal-reminder.md | 1 - .github/workflows/flock-action.lock.yml | 5 +++-- .github/workflows/flock-action.md | 5 ++--- .github/workflows/weekly-reminder.lock.yml | 4 ++-- .github/workflows/weekly-reminder.md | 1 - 7 files changed, 14 insertions(+), 10 deletions(-) diff --git a/.github/workflows/eov-enrichment.lock.yml b/.github/workflows/eov-enrichment.lock.yml index 1636b81..76c9768 100644 --- a/.github/workflows/eov-enrichment.lock.yml +++ b/.github/workflows/eov-enrichment.lock.yml @@ -1174,6 +1174,12 @@ jobs: pre_activation: runs-on: ubuntu-slim + if: | + contains(github.event.issue.labels.*.name, 'record:eov-site-assessment') || + contains(github.event.issue.labels.*.name, 'record:eov-soil-sample') || + contains(github.event.issue.labels.*.name, 'record:eov-water-test') || + contains(github.event.issue.labels.*.name, 'record:eov-photo-point') || + contains(github.event.issue.labels.*.name, 'eov-action') outputs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} steps: diff --git a/.github/workflows/eov-seasonal-reminder.lock.yml b/.github/workflows/eov-seasonal-reminder.lock.yml index a12c801..d3c17f9 100644 --- a/.github/workflows/eov-seasonal-reminder.lock.yml +++ b/.github/workflows/eov-seasonal-reminder.lock.yml @@ -1033,7 +1033,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":true,\"labels\":[\"eov\",\"seasonal\",\"verification\"],\"max\":1,\"title_prefix\":\"EOV \"},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":true,\"labels\":[\"eov\",\"seasonal\",\"verification\"],\"max\":1},\"missing_data\":{},\"missing_tool\":{}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/eov-seasonal-reminder.md b/.github/workflows/eov-seasonal-reminder.md index f9fd9ba..ede5565 100644 --- a/.github/workflows/eov-seasonal-reminder.md +++ b/.github/workflows/eov-seasonal-reminder.md @@ -21,7 +21,6 @@ tools: safe-outputs: create-issue: - title-prefix: "EOV " labels: [eov, seasonal, verification] close-older-issues: true max: 1 diff --git a/.github/workflows/flock-action.lock.yml b/.github/workflows/flock-action.lock.yml index ffe7162..1fa12a7 100644 --- a/.github/workflows/flock-action.lock.yml +++ b/.github/workflows/flock-action.lock.yml @@ -750,7 +750,7 @@ jobs: "run", "--rm", "-i", - "ghcr.io/zircote/nsip", + "ghcr.io/zircote/nsip@sha256:a1480316dc0e122fdce2724fd0f255033d04c0830bcb4686605ea429d5b9e793", "mcp" ], "tools": [ @@ -1186,6 +1186,7 @@ jobs: pre_activation: runs-on: ubuntu-slim + if: contains(github.event.issue.labels.*.name, 'flock-action') outputs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} steps: @@ -1276,7 +1277,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"add_labels\":{\"allowed\":[\"enriched\"]},\"close_issue\":{\"max\":1},\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[Flock Action] \"},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"add_labels\":{\"allowed\":[\"enriched\"]},\"close_issue\":{\"max\":1},\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"max\":1,\"max_patch_size\":1024},\"missing_data\":{},\"missing_tool\":{}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/flock-action.md b/.github/workflows/flock-action.md index 253e188..c73db5f 100644 --- a/.github/workflows/flock-action.md +++ b/.github/workflows/flock-action.md @@ -24,11 +24,10 @@ tools: mcp-servers: nsip: command: "docker" - args: ["run", "--rm", "-i", "ghcr.io/zircote/nsip", "mcp"] + args: ["run", "--rm", "-i", "ghcr.io/zircote/nsip@sha256:a1480316dc0e122fdce2724fd0f255033d04c0830bcb4686605ea429d5b9e793", "mcp"] safe-outputs: - create-pull-request: - title-prefix: "[Flock Action] " + create-pull-request: {} add-comment: {} add-labels: allowed: [enriched] diff --git a/.github/workflows/weekly-reminder.lock.yml b/.github/workflows/weekly-reminder.lock.yml index a459dd3..4248c1b 100644 --- a/.github/workflows/weekly-reminder.lock.yml +++ b/.github/workflows/weekly-reminder.lock.yml @@ -631,7 +631,7 @@ jobs: run: | set -o pipefail sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.20.2 --skip-pull --enable-api-proxy \ - -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log + -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --allow-path /tmp/gh-aw/ --allow-path "${GITHUB_WORKSPACE}" --disable-builtin-mcps --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} @@ -1018,7 +1018,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"labels\":[\"routine\",\"maintenance\"],\"max\":1,\"title_prefix\":\"Weekly Farm Check - \"},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"labels\":[\"routine\",\"maintenance\"],\"max\":1},\"missing_data\":{},\"missing_tool\":{}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/weekly-reminder.md b/.github/workflows/weekly-reminder.md index 96112a5..436e65e 100644 --- a/.github/workflows/weekly-reminder.md +++ b/.github/workflows/weekly-reminder.md @@ -19,7 +19,6 @@ tools: safe-outputs: create-issue: - title-prefix: "Weekly Farm Check - " labels: [routine, maintenance] max: 1 ---