# Copyright (c) Microsoft Corporation. # SPDX-License-Identifier: MIT # # copilot-setup-steps.yml # Pre-install tools and dependencies for GitHub Copilot Coding Agent # Reference: https://docs.github.com/en/copilot/how-tos/use-copilot-agents/coding-agent/customize-the-agent-environment name: "Copilot Setup Steps" # Copilot coding agent runs these steps internally before starting work. # Use workflow_dispatch to manually validate the setup when desired. on: workflow_dispatch: # Minimal permissions permissions: contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: false jobs: # Job MUST be named 'copilot-setup-steps' to be recognized by Copilot copilot-setup-steps: runs-on: ubuntu-latest # Minimal permissions; Copilot receives its own token for operations permissions: contents: read steps: - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Set up Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: "24" cache: "npm" # continue-on-error allows Copilot to start work even if dependencies fail, # so it can fix package.json/package-lock.json issues itself - name: Install JavaScript dependencies continue-on-error: true run: npm ci - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.11" - name: Install actionlint env: ACTIONLINT_VERSION: '1.7.10' ACTIONLINT_AMD64_SHA256: 'f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f' ACTIONLINT_ARM64_SHA256: 'cd3dfe5f66887ec6b987752d8d9614e59fd22f39415c5ad9f28374623f41773a' GITHUB_RELEASES_URL: ${{ vars.HVE_GITHUB_RELEASES_URL || 'https://github.com' }} run: | ARCH=$(uname -m) if [[ "${ARCH}" == "x86_64" ]]; then ACTIONLINT_ARCH="amd64" ACTIONLINT_SHA256="${ACTIONLINT_AMD64_SHA256}" elif [[ "${ARCH}" == "aarch64" ]]; then ACTIONLINT_ARCH="arm64" ACTIONLINT_SHA256="${ACTIONLINT_ARM64_SHA256}" else echo "ERROR: Unsupported architecture for actionlint: ${ARCH}" >&2 exit 1 fi curl -sSfL "${GITHUB_RELEASES_URL}/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_${ACTIONLINT_ARCH}.tar.gz" -o /tmp/actionlint.tar.gz echo "${ACTIONLINT_SHA256} /tmp/actionlint.tar.gz" | sha256sum -c - tar -xzf /tmp/actionlint.tar.gz -C /tmp actionlint sudo install /tmp/actionlint /usr/local/bin/actionlint rm /tmp/actionlint.tar.gz /tmp/actionlint actionlint --version - name: Install PowerShell modules shell: pwsh env: HVE_PSGALLERY_REPOSITORY: ${{ vars.HVE_PSGALLERY_REPOSITORY || '' }} HVE_PSGALLERY_SOURCE_URL: ${{ vars.HVE_PSGALLERY_SOURCE_URL || '' }} run: | $repo = if ($env:HVE_PSGALLERY_REPOSITORY) { $env:HVE_PSGALLERY_REPOSITORY } else { 'PSGallery' } if ($env:HVE_PSGALLERY_SOURCE_URL) { Register-PSRepository -Name $repo -SourceLocation $env:HVE_PSGALLERY_SOURCE_URL -InstallationPolicy Trusted -ErrorAction SilentlyContinue } Install-Module -Name PowerShell-Yaml -RequiredVersion 0.4.7 -Force -Scope AllUsers -Repository $repo Install-Module -Name PSScriptAnalyzer -RequiredVersion 1.25.0 -Force -Scope AllUsers -Repository $repo Install-Module -Name Pester -RequiredVersion 5.7.1 -Force -Scope AllUsers -Repository $repo - name: Install uv package manager env: UV_VERSION: '0.10.8' UV_X86_64_SHA256: 'f0c566b55683395a62fefb9261a060fa09824914b5682c3b9629fa154762ae2f' UV_AARCH64_SHA256: '661860e954f87dcd823251191866af3486484d1a9df60eed56f4586ed7559e3d' GITHUB_RELEASES_URL: ${{ vars.HVE_GITHUB_RELEASES_URL || 'https://github.com' }} run: | ARCH=$(uname -m) if [[ "${ARCH}" == "x86_64" ]]; then UV_ARCH="x86_64-unknown-linux-gnu" UV_SHA256="${UV_X86_64_SHA256}" elif [[ "${ARCH}" == "aarch64" ]]; then UV_ARCH="aarch64-unknown-linux-gnu" UV_SHA256="${UV_AARCH64_SHA256}" else echo "ERROR: Unsupported architecture for uv: ${ARCH}" >&2 exit 1 fi curl -sSfL "${GITHUB_RELEASES_URL}/astral-sh/uv/releases/download/${UV_VERSION}/uv-${UV_ARCH}.tar.gz" -o /tmp/uv.tar.gz echo "${UV_SHA256} /tmp/uv.tar.gz" | sha256sum -c - sudo tar -xzf /tmp/uv.tar.gz -C /usr/local/bin --strip-components=1 "uv-${UV_ARCH}/uv" "uv-${UV_ARCH}/uvx" rm /tmp/uv.tar.gz uv --version uvx --version echo "Syncing Python environments for skills..." failed=0 while IFS= read -r -d '' f; do dir="$(dirname "${f}")" echo "Installing dependencies in ${dir}" if ! (cd "${dir}" && uv sync); then echo "::error::uv sync failed in ${dir}" failed=1 fi done < <(find .github/skills -name pyproject.toml -type f -print0) if [[ "${failed}" -ne 0 ]]; then echo "::error::One or more skill dependency installations failed" exit 1 fi echo "Syncing Python environment for moderation eval..." if ! (cd scripts/evals/moderation && uv sync --locked); then echo "::error::uv sync failed in scripts/evals/moderation" exit 1 fi - name: Install cosign env: COSIGN_VERSION: '3.0.5' COSIGN_AMD64_SHA256: 'db15cc99e6e4837daabab023742aaddc3841ce57f193d11b7c3e06c8003642b2' COSIGN_ARM64_SHA256: 'd098f3168ae4b3aa70b4ca78947329b953272b487727d1722cb3cb098a1a20ab' GITHUB_RELEASES_URL: ${{ vars.HVE_GITHUB_RELEASES_URL || 'https://github.com' }} run: | ARCH=$(uname -m) if [[ "${ARCH}" == "x86_64" ]]; then COSIGN_ARCH="amd64" COSIGN_SHA256="${COSIGN_AMD64_SHA256}" elif [[ "${ARCH}" == "aarch64" ]]; then COSIGN_ARCH="arm64" COSIGN_SHA256="${COSIGN_ARM64_SHA256}" else echo "ERROR: Unsupported architecture for cosign: ${ARCH}" >&2 exit 1 fi curl -sSfL "${GITHUB_RELEASES_URL}/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" -o /tmp/cosign if ! echo "${COSIGN_SHA256} /tmp/cosign" | sha256sum -c --quiet -; then echo "ERROR: cosign checksum verification failed" >&2 exit 1 fi sudo install /tmp/cosign /usr/local/bin/cosign rm /tmp/cosign cosign version - name: Verify tool availability run: | echo "=== Tool Versions ===" node --version npm --version python3 --version pwsh --version shellcheck --version actionlint --version uv --version uvx --version cosign version echo "" echo "=== npm Scripts Available ===" npm run --list