From ccf99a8df743b89d428c0965fda1fe577461084d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 21 Feb 2026 02:39:37 +0000 Subject: [PATCH 1/2] Initial plan From 187c772adca6dc64f959f109be7bd7cbeab176dd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 21 Feb 2026 02:46:55 +0000 Subject: [PATCH 2/2] Fix review comments: label gates, title prefix duplication, security improvements Co-authored-by: zircote <307960+zircote@users.noreply.github.com> --- .github/workflows/eov-enrichment.lock.yml | 8 +++++++- .github/workflows/eov-seasonal-reminder.lock.yml | 4 ++-- .github/workflows/eov-seasonal-reminder.md | 1 - .github/workflows/flock-action.lock.yml | 8 ++++---- .github/workflows/flock-action.md | 5 ++--- .github/workflows/weekly-reminder.lock.yml | 6 +++--- .github/workflows/weekly-reminder.md | 1 - 7 files changed, 18 insertions(+), 15 deletions(-) diff --git a/.github/workflows/eov-enrichment.lock.yml b/.github/workflows/eov-enrichment.lock.yml index 1636b81..46b1ccc 100644 --- a/.github/workflows/eov-enrichment.lock.yml +++ b/.github/workflows/eov-enrichment.lock.yml @@ -48,7 +48,13 @@ run-name: "EOV Enrichment Workflow" jobs: activation: needs: pre_activation - if: needs.pre_activation.outputs.activated == 'true' + if: >- + needs.pre_activation.outputs.activated == 'true' && + (contains(github.event.issue.labels.*.name, 'record:eov-site-assessment') || + contains(github.event.issue.labels.*.name, 'record:eov-soil-sample') || + contains(github.event.issue.labels.*.name, 'record:eov-water-test') || + contains(github.event.issue.labels.*.name, 'record:eov-photo-point') || + contains(github.event.issue.labels.*.name, 'eov-action')) runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/eov-seasonal-reminder.lock.yml b/.github/workflows/eov-seasonal-reminder.lock.yml index a12c801..92ee7c3 100644 --- a/.github/workflows/eov-seasonal-reminder.lock.yml +++ b/.github/workflows/eov-seasonal-reminder.lock.yml @@ -338,7 +338,7 @@ jobs: cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { - "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"EOV \". Labels [eov seasonal verification] will be automatically added.", + "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [eov seasonal verification] will be automatically added.", "inputSchema": { "additionalProperties": false, "properties": { @@ -1033,7 +1033,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":true,\"labels\":[\"eov\",\"seasonal\",\"verification\"],\"max\":1,\"title_prefix\":\"EOV \"},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"close_older_issues\":true,\"labels\":[\"eov\",\"seasonal\",\"verification\"],\"max\":1},\"missing_data\":{},\"missing_tool\":{}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/eov-seasonal-reminder.md b/.github/workflows/eov-seasonal-reminder.md index f9fd9ba..ede5565 100644 --- a/.github/workflows/eov-seasonal-reminder.md +++ b/.github/workflows/eov-seasonal-reminder.md @@ -21,7 +21,6 @@ tools: safe-outputs: create-issue: - title-prefix: "EOV " labels: [eov, seasonal, verification] close-older-issues: true max: 1 diff --git a/.github/workflows/flock-action.lock.yml b/.github/workflows/flock-action.lock.yml index ffe7162..63392b5 100644 --- a/.github/workflows/flock-action.lock.yml +++ b/.github/workflows/flock-action.lock.yml @@ -44,7 +44,7 @@ run-name: "Flock Action Workflow" jobs: activation: needs: pre_activation - if: needs.pre_activation.outputs.activated == 'true' + if: needs.pre_activation.outputs.activated == 'true' && contains(github.event.issue.labels.*.name, 'flock-action') runs-on: ubuntu-slim permissions: contents: read @@ -434,7 +434,7 @@ jobs: "name": "add_comment" }, { - "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[Flock Action] \".", + "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created.", "inputSchema": { "additionalProperties": false, "properties": { @@ -750,7 +750,7 @@ jobs: "run", "--rm", "-i", - "ghcr.io/zircote/nsip", + "ghcr.io/zircote/nsip@sha256:a1480316dc0e122fdce2724fd0f255033d04c0830bcb4686605ea429d5b9e793", "mcp" ], "tools": [ @@ -1276,7 +1276,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"add_labels\":{\"allowed\":[\"enriched\"]},\"close_issue\":{\"max\":1},\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[Flock Action] \"},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"add_labels\":{\"allowed\":[\"enriched\"]},\"close_issue\":{\"max\":1},\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"max\":1,\"max_patch_size\":1024},\"missing_data\":{},\"missing_tool\":{}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/flock-action.md b/.github/workflows/flock-action.md index 253e188..c73db5f 100644 --- a/.github/workflows/flock-action.md +++ b/.github/workflows/flock-action.md @@ -24,11 +24,10 @@ tools: mcp-servers: nsip: command: "docker" - args: ["run", "--rm", "-i", "ghcr.io/zircote/nsip", "mcp"] + args: ["run", "--rm", "-i", "ghcr.io/zircote/nsip@sha256:a1480316dc0e122fdce2724fd0f255033d04c0830bcb4686605ea429d5b9e793", "mcp"] safe-outputs: - create-pull-request: - title-prefix: "[Flock Action] " + create-pull-request: {} add-comment: {} add-labels: allowed: [enriched] diff --git a/.github/workflows/weekly-reminder.lock.yml b/.github/workflows/weekly-reminder.lock.yml index a459dd3..2dffc90 100644 --- a/.github/workflows/weekly-reminder.lock.yml +++ b/.github/workflows/weekly-reminder.lock.yml @@ -338,7 +338,7 @@ jobs: cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' [ { - "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"Weekly Farm Check - \". Labels [routine maintenance] will be automatically added.", + "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Labels [routine maintenance] will be automatically added.", "inputSchema": { "additionalProperties": false, "properties": { @@ -631,7 +631,7 @@ jobs: run: | set -o pipefail sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.20.2 --skip-pull --enable-api-proxy \ - -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log + -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool write --allow-path /tmp/gh-aw/ --allow-path "${GITHUB_WORKSPACE}" --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} @@ -1018,7 +1018,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"labels\":[\"routine\",\"maintenance\"],\"max\":1,\"title_prefix\":\"Weekly Farm Check - \"},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"labels\":[\"routine\",\"maintenance\"],\"max\":1},\"missing_data\":{},\"missing_tool\":{}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/weekly-reminder.md b/.github/workflows/weekly-reminder.md index 96112a5..436e65e 100644 --- a/.github/workflows/weekly-reminder.md +++ b/.github/workflows/weekly-reminder.md @@ -19,7 +19,6 @@ tools: safe-outputs: create-issue: - title-prefix: "Weekly Farm Check - " labels: [routine, maintenance] max: 1 ---