GitVita
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

microsoft/hve-core

Public

mirrored fromhttps://github.com/microsoft/hve-coreAvailable

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
copilot/explain-repo-functionality

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

hve-core/.github/workflows

.github/workflows/dependency-pr-review.lock.yml

1200lines · modecode

RawDownload
Latest commit unavailable.
1# ___ _ _
2# / _ \ | | (_)
3# | |_| | __ _ ___ _ __ | |_ _ ___
4# | _ |/ _` |/ _ \ '_ \| __| |/ __|
5# | | | | (_| | __/ | | | |_| | (__
6# \_| |_/\__, |\___|_| |_|\__|_|\___|
7# __/ |
8# _ _ |___/
9# | | | | / _| |
10# | | | | ___ _ __ _ __| |_| | _____ ____
11# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
12# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \
13# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
14#
15# This file was automatically generated by gh-aw (v0.65.4). DO NOT EDIT.
16#
17# To update this file, edit the corresponding .md file and run:
18# gh aw compile
19# Not all edits will cause changes to this file.
20#
21# For more information: https://github.github.com/gh-aw/introduction/overview/
22#
23# Reviews and auto-approves Dependabot version bump PRs after safety validation
24#
25# Resolved workflow manifest:
26# Imports:
27# - ../agents/dependency-reviewer.agent.md
28#
29# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"806a4e240dc1b4446eb4aca13796de8afa9b0d1827932d7422d28ff884a91b47","compiler_version":"v0.65.4","strict":true,"agent_id":"copilot"}
30
31name: "Dependabot PR Review"
32"on":
33 pull_request:
34 paths:
35 - package.json
36 - package-lock.json
37 - "**/requirements.txt"
38 - "**/pyproject.toml"
39 - .github/workflows/*.yml
40 - .devcontainer/**
41 types:
42 - opened
43 - synchronize
44
45permissions: {}
46
47concurrency:
48 group: "gh-aw-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }}"
49 cancel-in-progress: true
50
51run-name: "Dependabot PR Review"
52
53jobs:
54 activation:
55 needs: pre_activation
56 if: >
57 needs.pre_activation.outputs.activated == 'true' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id)
58 runs-on: ubuntu-slim
59 permissions:
60 contents: read
61 discussions: write
62 issues: write
63 pull-requests: write
64 outputs:
65 body: ${{ steps.sanitized.outputs.body }}
66 comment_id: ""
67 comment_repo: ""
68 lockdown_check_failed: ${{ steps.generate_aw_info.outputs.lockdown_check_failed == 'true' }}
69 model: ${{ steps.generate_aw_info.outputs.model }}
70 secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
71 text: ${{ steps.sanitized.outputs.text }}
72 title: ${{ steps.sanitized.outputs.title }}
73 steps:
74 - name: Setup Scripts
75 uses: github/gh-aw-actions/setup@536ea1bad8c6715d098a9dc1afea8d403733acfe # v0.65.6
76 with:
77 destination: ${{ runner.temp }}/gh-aw/actions
78 - name: Generate agentic run info
79 id: generate_aw_info
80 env:
81 GH_AW_INFO_ENGINE_ID: "copilot"
82 GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI"
83 GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }}
84 GH_AW_INFO_VERSION: "latest"
85 GH_AW_INFO_AGENT_VERSION: "latest"
86 GH_AW_INFO_CLI_VERSION: "v0.65.4"
87 GH_AW_INFO_WORKFLOW_NAME: "Dependabot PR Review"
88 GH_AW_INFO_EXPERIMENTAL: "false"
89 GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true"
90 GH_AW_INFO_STAGED: "false"
91 GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]'
92 GH_AW_INFO_FIREWALL_ENABLED: "true"
93 GH_AW_INFO_AWF_VERSION: "v0.25.6"
94 GH_AW_INFO_AWMG_VERSION: ""
95 GH_AW_INFO_FIREWALL_TYPE: "squid"
96 GH_AW_COMPILED_STRICT: "true"
97 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
98 with:
99 script: |
100 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
101 setupGlobals(core, github, context, exec, io);
102 const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_aw_info.cjs');
103 await main(core, context);
104 - name: Add eyes reaction for immediate feedback
105 id: react
106 if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || github.event_name == 'pull_request' && github.event.pull_request.head.repo.id == github.repository_id
107 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
108 env:
109 GH_AW_REACTION: "eyes"
110 with:
111 github-token: ${{ secrets.GITHUB_TOKEN }}
112 script: |
113 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
114 setupGlobals(core, github, context, exec, io);
115 const { main } = require('${{ runner.temp }}/gh-aw/actions/add_reaction.cjs');
116 await main();
117 - name: Validate COPILOT_GITHUB_TOKEN secret
118 id: validate-secret
119 run: ${RUNNER_TEMP}/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
120 env:
121 COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
122 - name: Checkout .github and .agents folders
123 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
124 with:
125 persist-credentials: false
126 sparse-checkout: |
127 .github
128 .agents
129 sparse-checkout-cone-mode: true
130 fetch-depth: 1
131 - name: Check workflow file timestamps
132 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
133 env:
134 GH_AW_WORKFLOW_FILE: "dependency-pr-review.lock.yml"
135 with:
136 script: |
137 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
138 setupGlobals(core, github, context, exec, io);
139 const { main } = require('${{ runner.temp }}/gh-aw/actions/check_workflow_timestamp_api.cjs');
140 await main();
141 - name: Check compile-agentic version
142 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
143 env:
144 GH_AW_COMPILED_VERSION: "v0.65.4"
145 with:
146 script: |
147 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
148 setupGlobals(core, github, context, exec, io);
149 const { main } = require('${{ runner.temp }}/gh-aw/actions/check_version_updates.cjs');
150 await main();
151 - name: Compute current body text
152 id: sanitized
153 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
154 with:
155 script: |
156 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
157 setupGlobals(core, github, context, exec, io);
158 const { main } = require('${{ runner.temp }}/gh-aw/actions/compute_text.cjs');
159 await main();
160 - name: Create prompt with built-in context
161 env:
162 GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
163 GH_AW_SAFE_OUTPUTS: ${{ runner.temp }}/gh-aw/safeoutputs/outputs.jsonl
164 GH_AW_GITHUB_ACTOR: ${{ github.actor }}
165 GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
166 GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
167 GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
168 GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
169 GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
170 GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
171 GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
172 # poutine:ignore untrusted_checkout_exec
173 run: |
174 bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
175 {
176 cat << 'GH_AW_PROMPT_c92c91964a9f420b_EOF'
177 <system>
178 GH_AW_PROMPT_c92c91964a9f420b_EOF
179 cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
180 cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
181 cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
182 cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
183 cat << 'GH_AW_PROMPT_c92c91964a9f420b_EOF'
184 <safe-output-tools>
185 Tools: add_comment(max:2), create_pull_request_review_comment(max:5), submit_pull_request_review, missing_tool, missing_data, noop
186 </safe-output-tools>
187 <github-context>
188 The following GitHub context information is available for this workflow:
189 {{#if __GH_AW_GITHUB_ACTOR__ }}
190 - **actor**: __GH_AW_GITHUB_ACTOR__
191 {{/if}}
192 {{#if __GH_AW_GITHUB_REPOSITORY__ }}
193 - **repository**: __GH_AW_GITHUB_REPOSITORY__
194 {{/if}}
195 {{#if __GH_AW_GITHUB_WORKSPACE__ }}
196 - **workspace**: __GH_AW_GITHUB_WORKSPACE__
197 {{/if}}
198 {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }}
199 - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__
200 {{/if}}
201 {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }}
202 - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__
203 {{/if}}
204 {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }}
205 - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__
206 {{/if}}
207 {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }}
208 - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__
209 {{/if}}
210 {{#if __GH_AW_GITHUB_RUN_ID__ }}
211 - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
212 {{/if}}
213 - **checkouts**: The following repositories have been checked out and are available in the workspace:
214 - `$GITHUB_WORKSPACE` → `__GH_AW_GITHUB_REPOSITORY__` (cwd) [shallow clone, fetch-depth=1 (default)]
215 - **Note**: If a branch you need is not in the list above and is not listed as an additional fetched ref, it has NOT been checked out. For private repositories you cannot fetch it without proper authentication. If the branch is required and not available, exit with an error and ask the user to add it to the `fetch:` option of the `checkout:` configuration (e.g., `fetch: ["refs/pulls/open/*"]` for all open PR refs, or `fetch: ["main", "feature/my-branch"]` for specific branches).
216 </github-context>
217
218 GH_AW_PROMPT_c92c91964a9f420b_EOF
219 cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
220 cat << 'GH_AW_PROMPT_c92c91964a9f420b_EOF'
221 </system>
222 {{#runtime-import .github/agents/dependency-reviewer.agent.md}}
223 {{#runtime-import .github/workflows/dependency-pr-review.md}}
224 GH_AW_PROMPT_c92c91964a9f420b_EOF
225 } > "$GH_AW_PROMPT"
226 - name: Interpolate variables and render templates
227 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
228 env:
229 GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
230 with:
231 script: |
232 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
233 setupGlobals(core, github, context, exec, io);
234 const { main } = require('${{ runner.temp }}/gh-aw/actions/interpolate_prompt.cjs');
235 await main();
236 - name: Substitute placeholders
237 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
238 env:
239 GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
240 GH_AW_GITHUB_ACTOR: ${{ github.actor }}
241 GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
242 GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
243 GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
244 GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
245 GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
246 GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
247 GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
248 GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }}
249 with:
250 script: |
251 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
252 setupGlobals(core, github, context, exec, io);
253
254 const substitutePlaceholders = require('${{ runner.temp }}/gh-aw/actions/substitute_placeholders.cjs');
255
256 // Call the substitution function
257 return await substitutePlaceholders({
258 file: process.env.GH_AW_PROMPT,
259 substitutions: {
260 GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR,
261 GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID,
262 GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER,
263 GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER,
264 GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER,
265 GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY,
266 GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID,
267 GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE,
268 GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: process.env.GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED
269 }
270 });
271 - name: Validate prompt placeholders
272 env:
273 GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
274 # poutine:ignore untrusted_checkout_exec
275 run: bash ${RUNNER_TEMP}/gh-aw/actions/validate_prompt_placeholders.sh
276 - name: Print prompt
277 env:
278 GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
279 # poutine:ignore untrusted_checkout_exec
280 run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh
281 - name: Upload activation artifact
282 if: success()
283 uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4.4.3
284 with:
285 name: activation
286 path: |
287 /tmp/gh-aw/aw_info.json
288 /tmp/gh-aw/aw-prompts/prompt.txt
289 retention-days: 1
290
291 agent:
292 needs: activation
293 runs-on: ubuntu-latest
294 permissions:
295 contents: read
296 pull-requests: read
297 env:
298 DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
299 GH_AW_ASSETS_ALLOWED_EXTS: ""
300 GH_AW_ASSETS_BRANCH: ""
301 GH_AW_ASSETS_MAX_SIZE_KB: 0
302 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
303 GH_AW_WORKFLOW_ID_SANITIZED: dependencyprreview
304 outputs:
305 checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}
306 has_patch: ${{ steps.collect_output.outputs.has_patch }}
307 inference_access_error: ${{ steps.detect-inference-error.outputs.inference_access_error || 'false' }}
308 model: ${{ needs.activation.outputs.model }}
309 output: ${{ steps.collect_output.outputs.output }}
310 output_types: ${{ steps.collect_output.outputs.output_types }}
311 steps:
312 - name: Setup Scripts
313 uses: github/gh-aw-actions/setup@536ea1bad8c6715d098a9dc1afea8d403733acfe # v0.65.6
314 with:
315 destination: ${{ runner.temp }}/gh-aw/actions
316 - name: Set runtime paths
317 id: set-runtime-paths
318 run: |
319 echo "GH_AW_SAFE_OUTPUTS=${RUNNER_TEMP}/gh-aw/safeoutputs/outputs.jsonl" >> "$GITHUB_OUTPUT"
320 echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" >> "$GITHUB_OUTPUT"
321 echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/tools.json" >> "$GITHUB_OUTPUT"
322 - name: Checkout repository
323 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
324 with:
325 persist-credentials: false
326 sparse-checkout: |
327 .github/copilot-instructions.md
328 .github/instructions/coding-standards/
329 .github/instructions/hve-core/
330 .github/instructions/shared/
331 .devcontainer/
332 .github/workflows/copilot-setup-steps.yml
333 package.json
334 package-lock.json
335 .github/skills/
336 - name: Merge remote .github folder
337 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
338 env:
339 GH_AW_AGENT_FILE: ".github/agents/dependency-reviewer.agent.md"
340 GH_AW_AGENT_IMPORT_SPEC: "../agents/dependency-reviewer.agent.md"
341 with:
342 script: |
343 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
344 setupGlobals(core, github, context, exec, io);
345 const { main } = require('${{ runner.temp }}/gh-aw/actions/merge_remote_agent_github_folder.cjs');
346 await main();
347 - name: Create gh-aw temp directory
348 run: bash ${RUNNER_TEMP}/gh-aw/actions/create_gh_aw_tmp_dir.sh
349 - name: Configure gh CLI for GitHub Enterprise
350 run: bash ${RUNNER_TEMP}/gh-aw/actions/configure_gh_for_ghe.sh
351 env:
352 GH_TOKEN: ${{ github.token }}
353 - name: Configure Git credentials
354 env:
355 REPO_NAME: ${{ github.repository }}
356 SERVER_URL: ${{ github.server_url }}
357 run: |
358 git config --global user.email "github-actions[bot]@users.noreply.github.com"
359 git config --global user.name "github-actions[bot]"
360 git config --global am.keepcr true
361 # Re-authenticate git with GitHub token
362 SERVER_URL_STRIPPED="${SERVER_URL#https://}"
363 git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
364 echo "Git configured with standard GitHub Actions identity"
365 - name: Checkout PR branch
366 id: checkout-pr
367 if: |
368 github.event.pull_request || github.event.issue.pull_request
369 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
370 env:
371 GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
372 with:
373 github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
374 script: |
375 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
376 setupGlobals(core, github, context, exec, io);
377 const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs');
378 await main();
379 - name: Install GitHub Copilot CLI
380 run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh latest
381 - name: Install AWF binary
382 run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.6
383 - name: Determine automatic lockdown mode for GitHub MCP Server
384 id: determine-automatic-lockdown
385 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
386 env:
387 GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
388 GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
389 with:
390 script: |
391 const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs');
392 await determineAutomaticLockdown(github, context, core);
393 - name: Download container images
394 run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.25.6 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.6 ghcr.io/github/gh-aw-firewall/squid:0.25.6 ghcr.io/github/gh-aw-mcpg:v0.2.11 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine
395 - name: Write Safe Outputs Config
396 run: |
397 mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
398 mkdir -p /tmp/gh-aw/safeoutputs
399 mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
400 cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_b196523387946e2d_EOF'
401 {"add_comment":{"max":2,"target":"triggering"},"create_pull_request_review_comment":{"max":5,"side":"RIGHT"},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"submit_pull_request_review":{"max":1}}
402 GH_AW_SAFE_OUTPUTS_CONFIG_b196523387946e2d_EOF
403 - name: Write Safe Outputs Tools
404 run: |
405 cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_fbe21cca8739bde4_EOF'
406 {
407 "description_suffixes": {
408 "add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added. Target: triggering.",
409 "create_pull_request_review_comment": " CONSTRAINTS: Maximum 5 review comment(s) can be created. Comments will be on the RIGHT side of the diff.",
410 "submit_pull_request_review": " CONSTRAINTS: Maximum 1 review(s) can be submitted."
411 },
412 "repo_params": {},
413 "dynamic_tools": []
414 }
415 GH_AW_SAFE_OUTPUTS_TOOLS_META_fbe21cca8739bde4_EOF
416 cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_ca6ff05df41f9547_EOF'
417 {
418 "add_comment": {
419 "defaultMax": 1,
420 "fields": {
421 "body": {
422 "required": true,
423 "type": "string",
424 "sanitize": true,
425 "maxLength": 65000
426 },
427 "item_number": {
428 "issueOrPRNumber": true
429 },
430 "repo": {
431 "type": "string",
432 "maxLength": 256
433 }
434 }
435 },
436 "create_pull_request_review_comment": {
437 "defaultMax": 1,
438 "fields": {
439 "body": {
440 "required": true,
441 "type": "string",
442 "sanitize": true,
443 "maxLength": 65000
444 },
445 "line": {
446 "required": true,
447 "positiveInteger": true
448 },
449 "path": {
450 "required": true,
451 "type": "string"
452 },
453 "pull_request_number": {
454 "optionalPositiveInteger": true
455 },
456 "repo": {
457 "type": "string",
458 "maxLength": 256
459 },
460 "side": {
461 "type": "string",
462 "enum": [
463 "LEFT",
464 "RIGHT"
465 ]
466 },
467 "start_line": {
468 "optionalPositiveInteger": true
469 }
470 },
471 "customValidation": "startLineLessOrEqualLine"
472 },
473 "missing_data": {
474 "defaultMax": 20,
475 "fields": {
476 "alternatives": {
477 "type": "string",
478 "sanitize": true,
479 "maxLength": 256
480 },
481 "context": {
482 "type": "string",
483 "sanitize": true,
484 "maxLength": 256
485 },
486 "data_type": {
487 "type": "string",
488 "sanitize": true,
489 "maxLength": 128
490 },
491 "reason": {
492 "type": "string",
493 "sanitize": true,
494 "maxLength": 256
495 }
496 }
497 },
498 "missing_tool": {
499 "defaultMax": 20,
500 "fields": {
501 "alternatives": {
502 "type": "string",
503 "sanitize": true,
504 "maxLength": 512
505 },
506 "reason": {
507 "required": true,
508 "type": "string",
509 "sanitize": true,
510 "maxLength": 256
511 },
512 "tool": {
513 "type": "string",
514 "sanitize": true,
515 "maxLength": 128
516 }
517 }
518 },
519 "noop": {
520 "defaultMax": 1,
521 "fields": {
522 "message": {
523 "required": true,
524 "type": "string",
525 "sanitize": true,
526 "maxLength": 65000
527 }
528 }
529 },
530 "submit_pull_request_review": {
531 "defaultMax": 1,
532 "fields": {
533 "body": {
534 "type": "string",
535 "sanitize": true,
536 "maxLength": 65000
537 },
538 "event": {
539 "type": "string",
540 "enum": [
541 "APPROVE",
542 "REQUEST_CHANGES",
543 "COMMENT"
544 ]
545 }
546 }
547 }
548 }
549 GH_AW_SAFE_OUTPUTS_VALIDATION_ca6ff05df41f9547_EOF
550 node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
551 - name: Generate Safe Outputs MCP Server Config
552 id: safe-outputs-config
553 run: |
554 # Generate a secure random API key (360 bits of entropy, 40+ chars)
555 # Mask immediately to prevent timing vulnerabilities
556 API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
557 echo "::add-mask::${API_KEY}"
558
559 PORT=3001
560
561 # Set outputs for next steps
562 {
563 echo "safe_outputs_api_key=${API_KEY}"
564 echo "safe_outputs_port=${PORT}"
565 } >> "$GITHUB_OUTPUT"
566
567 echo "Safe Outputs MCP server will run on port ${PORT}"
568
569 - name: Start Safe Outputs MCP HTTP Server
570 id: safe-outputs-start
571 env:
572 DEBUG: '*'
573 GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
574 GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
575 GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ runner.temp }}/gh-aw/safeoutputs/tools.json
576 GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ runner.temp }}/gh-aw/safeoutputs/config.json
577 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
578 run: |
579 # Environment variables are set above to prevent template injection
580 export DEBUG
581 export GH_AW_SAFE_OUTPUTS_PORT
582 export GH_AW_SAFE_OUTPUTS_API_KEY
583 export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
584 export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
585 export GH_AW_MCP_LOG_DIR
586
587 bash ${RUNNER_TEMP}/gh-aw/actions/start_safe_outputs_server.sh
588
589 - name: Start MCP Gateway
590 id: start-mcp-gateway
591 env:
592 GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
593 GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
594 GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
595 GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }}
596 GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }}
597 GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
598 run: |
599 set -eo pipefail
600 mkdir -p /tmp/gh-aw/mcp-config
601
602 # Export gateway environment variables for MCP config and gateway script
603 export MCP_GATEWAY_PORT="80"
604 export MCP_GATEWAY_DOMAIN="host.docker.internal"
605 MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
606 echo "::add-mask::${MCP_GATEWAY_API_KEY}"
607 export MCP_GATEWAY_API_KEY
608 export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads"
609 mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}"
610 export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288"
611 export DEBUG="*"
612
613 export GH_AW_ENGINE="copilot"
614 export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.11'
615
616 mkdir -p /home/runner/.copilot
617 cat << GH_AW_MCP_CONFIG_faffb8c9b44043ad_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
618 {
619 "mcpServers": {
620 "github": {
621 "type": "stdio",
622 "container": "ghcr.io/github/github-mcp-server:v0.32.0",
623 "env": {
624 "GITHUB_HOST": "\${GITHUB_SERVER_URL}",
625 "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
626 "GITHUB_READ_ONLY": "1",
627 "GITHUB_TOOLSETS": "context,repos,issues,pull_requests"
628 },
629 "guard-policies": {
630 "allow-only": {
631 "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY",
632 "repos": "$GITHUB_MCP_GUARD_REPOS"
633 }
634 }
635 },
636 "safeoutputs": {
637 "type": "http",
638 "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
639 "headers": {
640 "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
641 },
642 "guard-policies": {
643 "write-sink": {
644 "accept": [
645 "*"
646 ]
647 }
648 }
649 }
650 },
651 "gateway": {
652 "port": $MCP_GATEWAY_PORT,
653 "domain": "${MCP_GATEWAY_DOMAIN}",
654 "apiKey": "${MCP_GATEWAY_API_KEY}",
655 "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
656 }
657 }
658 GH_AW_MCP_CONFIG_faffb8c9b44043ad_EOF
659 - name: Download activation artifact
660 uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
661 with:
662 name: activation
663 path: /tmp/gh-aw
664 - name: Clean git credentials
665 continue-on-error: true
666 run: bash ${RUNNER_TEMP}/gh-aw/actions/clean_git_credentials.sh
667 - name: Execute GitHub Copilot CLI
668 id: agentic_execution
669 # Copilot CLI tool arguments (sorted):
670 timeout-minutes: 15
671 run: |
672 set -o pipefail
673 touch /tmp/gh-aw/agent-step-summary.md
674 # shellcheck disable=SC1003
675 sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --image-tag 0.25.6 --skip-pull --enable-api-proxy \
676 -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-all-tools --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
677 env:
678 COPILOT_AGENT_RUNNER_TYPE: STANDALONE
679 COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
680 COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }}
681 GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
682 GH_AW_PHASE: agent
683 GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
684 GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
685 GH_AW_VERSION: v0.65.4
686 GITHUB_API_URL: ${{ github.api_url }}
687 GITHUB_AW: true
688 GITHUB_HEAD_REF: ${{ github.head_ref }}
689 GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
690 GITHUB_REF_NAME: ${{ github.ref_name }}
691 GITHUB_SERVER_URL: ${{ github.server_url }}
692 GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
693 GITHUB_WORKSPACE: ${{ github.workspace }}
694 GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
695 GIT_AUTHOR_NAME: github-actions[bot]
696 GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
697 GIT_COMMITTER_NAME: github-actions[bot]
698 XDG_CONFIG_HOME: /home/runner
699 - name: Detect inference access error
700 id: detect-inference-error
701 if: always()
702 continue-on-error: true
703 run: bash ${RUNNER_TEMP}/gh-aw/actions/detect_inference_access_error.sh
704 - name: Configure Git credentials
705 env:
706 REPO_NAME: ${{ github.repository }}
707 SERVER_URL: ${{ github.server_url }}
708 run: |
709 git config --global user.email "github-actions[bot]@users.noreply.github.com"
710 git config --global user.name "github-actions[bot]"
711 git config --global am.keepcr true
712 # Re-authenticate git with GitHub token
713 SERVER_URL_STRIPPED="${SERVER_URL#https://}"
714 git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
715 echo "Git configured with standard GitHub Actions identity"
716 - name: Copy Copilot session state files to logs
717 if: always()
718 continue-on-error: true
719 run: |
720 # Copy Copilot session state files to logs folder for artifact collection
721 # This ensures they are in /tmp/gh-aw/ where secret redaction can scan them
722 SESSION_STATE_DIR="$HOME/.copilot/session-state"
723 LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
724
725 if [ -d "$SESSION_STATE_DIR" ]; then
726 echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
727 mkdir -p "$LOGS_DIR"
728 cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null || true
729 echo "Session state files copied successfully"
730 else
731 echo "No session-state directory found at $SESSION_STATE_DIR"
732 fi
733 - name: Stop MCP Gateway
734 if: always()
735 continue-on-error: true
736 env:
737 MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }}
738 MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
739 GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }}
740 run: |
741 bash ${RUNNER_TEMP}/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID"
742 - name: Redact secrets in logs
743 if: always()
744 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
745 with:
746 script: |
747 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
748 setupGlobals(core, github, context, exec, io);
749 const { main } = require('${{ runner.temp }}/gh-aw/actions/redact_secrets.cjs');
750 await main();
751 env:
752 GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN'
753 SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
754 SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
755 SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
756 SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
757 - name: Append agent step summary
758 if: always()
759 run: bash ${RUNNER_TEMP}/gh-aw/actions/append_agent_step_summary.sh
760 - name: Copy Safe Outputs
761 if: always()
762 env:
763 GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
764 run: |
765 mkdir -p /tmp/gh-aw
766 cp "$GH_AW_SAFE_OUTPUTS" /tmp/gh-aw/safeoutputs.jsonl 2>/dev/null || true
767 - name: Ingest agent output
768 id: collect_output
769 if: always()
770 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
771 env:
772 GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
773 GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com"
774 GITHUB_SERVER_URL: ${{ github.server_url }}
775 GITHUB_API_URL: ${{ github.api_url }}
776 with:
777 script: |
778 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
779 setupGlobals(core, github, context, exec, io);
780 const { main } = require('${{ runner.temp }}/gh-aw/actions/collect_ndjson_output.cjs');
781 await main();
782 - name: Parse agent logs for step summary
783 if: always()
784 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
785 env:
786 GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/
787 with:
788 script: |
789 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
790 setupGlobals(core, github, context, exec, io);
791 const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_copilot_log.cjs');
792 await main();
793 - name: Parse MCP Gateway logs for step summary
794 if: always()
795 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
796 with:
797 script: |
798 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
799 setupGlobals(core, github, context, exec, io);
800 const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_mcp_gateway_log.cjs');
801 await main();
802 - name: Print firewall logs
803 if: always()
804 continue-on-error: true
805 env:
806 AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
807 run: |
808 # Fix permissions on firewall logs so they can be uploaded as artifacts
809 # AWF runs with sudo, creating files owned by root
810 sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true
811 # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
812 if command -v awf &> /dev/null; then
813 awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"
814 else
815 echo 'AWF binary not installed, skipping firewall log summary'
816 fi
817 - name: Write agent output placeholder if missing
818 if: always()
819 run: |
820 if [ ! -f /tmp/gh-aw/agent_output.json ]; then
821 echo '{"items":[]}' > /tmp/gh-aw/agent_output.json
822 fi
823 - name: Upload agent artifacts
824 if: always()
825 continue-on-error: true
826 uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4.4.3
827 with:
828 name: agent
829 path: |
830 /tmp/gh-aw/aw-prompts/prompt.txt
831 /tmp/gh-aw/sandbox/agent/logs/
832 /tmp/gh-aw/redacted-urls.log
833 /tmp/gh-aw/mcp-logs/
834 /tmp/gh-aw/agent-stdio.log
835 /tmp/gh-aw/agent/
836 /tmp/gh-aw/safeoutputs.jsonl
837 /tmp/gh-aw/agent_output.json
838 /tmp/gh-aw/aw-*.patch
839 /tmp/gh-aw/aw-*.bundle
840 if-no-files-found: ignore
841 - name: Upload firewall audit logs
842 if: always()
843 continue-on-error: true
844 uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4.4.3
845 with:
846 name: firewall-audit-logs
847 path: |
848 /tmp/gh-aw/sandbox/firewall/logs/
849 /tmp/gh-aw/sandbox/firewall/audit/
850 if-no-files-found: ignore
851
852 conclusion:
853 needs:
854 - activation
855 - agent
856 - detection
857 - safe_outputs
858 if: always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true')
859 runs-on: ubuntu-slim
860 permissions:
861 contents: read
862 discussions: write
863 issues: write
864 pull-requests: write
865 concurrency:
866 group: "gh-aw-conclusion-dependency-pr-review"
867 cancel-in-progress: false
868 outputs:
869 noop_message: ${{ steps.noop.outputs.noop_message }}
870 tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
871 total_count: ${{ steps.missing_tool.outputs.total_count }}
872 steps:
873 - name: Setup Scripts
874 uses: github/gh-aw-actions/setup@536ea1bad8c6715d098a9dc1afea8d403733acfe # v0.65.6
875 with:
876 destination: ${{ runner.temp }}/gh-aw/actions
877 - name: Download agent output artifact
878 id: download-agent-output
879 continue-on-error: true
880 uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
881 with:
882 name: agent
883 path: /tmp/gh-aw/
884 - name: Setup agent output environment variable
885 id: setup-agent-output-env
886 if: steps.download-agent-output.outcome == 'success'
887 run: |
888 mkdir -p /tmp/gh-aw/
889 find "/tmp/gh-aw/" -type f -print
890 echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
891 - name: Process No-Op Messages
892 id: noop
893 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
894 env:
895 GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
896 GH_AW_NOOP_MAX: "1"
897 GH_AW_WORKFLOW_NAME: "Dependabot PR Review"
898 with:
899 github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
900 script: |
901 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
902 setupGlobals(core, github, context, exec, io);
903 const { main } = require('${{ runner.temp }}/gh-aw/actions/noop.cjs');
904 await main();
905 - name: Record Missing Tool
906 id: missing_tool
907 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
908 env:
909 GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
910 GH_AW_MISSING_TOOL_CREATE_ISSUE: "true"
911 GH_AW_WORKFLOW_NAME: "Dependabot PR Review"
912 with:
913 github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
914 script: |
915 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
916 setupGlobals(core, github, context, exec, io);
917 const { main } = require('${{ runner.temp }}/gh-aw/actions/missing_tool.cjs');
918 await main();
919 - name: Handle Agent Failure
920 id: handle_agent_failure
921 if: always()
922 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
923 env:
924 GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
925 GH_AW_WORKFLOW_NAME: "Dependabot PR Review"
926 GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
927 GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
928 GH_AW_WORKFLOW_ID: "dependency-pr-review"
929 GH_AW_ENGINE_ID: "copilot"
930 GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }}
931 GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
932 GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }}
933 GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }}
934 GH_AW_GROUP_REPORTS: "false"
935 GH_AW_FAILURE_REPORT_AS_ISSUE: "true"
936 GH_AW_TIMEOUT_MINUTES: "15"
937 with:
938 github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
939 script: |
940 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
941 setupGlobals(core, github, context, exec, io);
942 const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_agent_failure.cjs');
943 await main();
944 - name: Handle No-Op Message
945 id: handle_noop_message
946 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
947 env:
948 GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
949 GH_AW_WORKFLOW_NAME: "Dependabot PR Review"
950 GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
951 GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
952 GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }}
953 GH_AW_NOOP_REPORT_AS_ISSUE: "true"
954 with:
955 github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
956 script: |
957 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
958 setupGlobals(core, github, context, exec, io);
959 const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs');
960 await main();
961
962 detection:
963 needs: agent
964 if: >
965 always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true')
966 runs-on: ubuntu-latest
967 outputs:
968 detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
969 detection_success: ${{ steps.detection_conclusion.outputs.success }}
970 steps:
971 - name: Setup Scripts
972 uses: github/gh-aw-actions/setup@536ea1bad8c6715d098a9dc1afea8d403733acfe # v0.65.6
973 with:
974 destination: ${{ runner.temp }}/gh-aw/actions
975 - name: Download agent output artifact
976 id: download-agent-output
977 continue-on-error: true
978 uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
979 with:
980 name: agent
981 path: /tmp/gh-aw/
982 - name: Setup agent output environment variable
983 id: setup-agent-output-env
984 if: steps.download-agent-output.outcome == 'success'
985 run: |
986 mkdir -p /tmp/gh-aw/
987 find "/tmp/gh-aw/" -type f -print
988 echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
989 # --- Threat Detection ---
990 - name: Download container images
991 run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.25.6 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.6 ghcr.io/github/gh-aw-firewall/squid:0.25.6
992 - name: Check if detection needed
993 id: detection_guard
994 if: always()
995 env:
996 OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }}
997 HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
998 run: |
999 if [[ -n "$OUTPUT_TYPES" || "$HAS_PATCH" == "true" ]]; then
1000 echo "run_detection=true" >> "$GITHUB_OUTPUT"
1001 echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH"
1002 else
1003 echo "run_detection=false" >> "$GITHUB_OUTPUT"
1004 echo "Detection skipped: no agent outputs or patches to analyze"
1005 fi
1006 - name: Clear MCP configuration for detection
1007 if: always() && steps.detection_guard.outputs.run_detection == 'true'
1008 run: |
1009 rm -f /tmp/gh-aw/mcp-config/mcp-servers.json
1010 rm -f /home/runner/.copilot/mcp-config.json
1011 rm -f "$GITHUB_WORKSPACE/.gemini/settings.json"
1012 - name: Prepare threat detection files
1013 if: always() && steps.detection_guard.outputs.run_detection == 'true'
1014 run: |
1015 mkdir -p /tmp/gh-aw/threat-detection/aw-prompts
1016 cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true
1017 cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null || true
1018 for f in /tmp/gh-aw/aw-*.patch; do
1019 [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
1020 done
1021 for f in /tmp/gh-aw/aw-*.bundle; do
1022 [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
1023 done
1024 echo "Prepared threat detection files:"
1025 ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true
1026 - name: Setup threat detection
1027 if: always() && steps.detection_guard.outputs.run_detection == 'true'
1028 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
1029 env:
1030 WORKFLOW_NAME: "Dependabot PR Review"
1031 WORKFLOW_DESCRIPTION: "Reviews and auto-approves Dependabot version bump PRs after safety validation"
1032 HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
1033 with:
1034 script: |
1035 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
1036 setupGlobals(core, github, context, exec, io);
1037 const { main } = require('${{ runner.temp }}/gh-aw/actions/setup_threat_detection.cjs');
1038 await main();
1039 - name: Ensure threat-detection directory and log
1040 if: always() && steps.detection_guard.outputs.run_detection == 'true'
1041 run: |
1042 mkdir -p /tmp/gh-aw/threat-detection
1043 touch /tmp/gh-aw/threat-detection/detection.log
1044 - name: Install GitHub Copilot CLI
1045 run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh latest
1046 - name: Install AWF binary
1047 run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.6
1048 - name: Execute GitHub Copilot CLI
1049 if: always() && steps.detection_guard.outputs.run_detection == 'true'
1050 id: detection_agentic_execution
1051 # Copilot CLI tool arguments (sorted):
1052 timeout-minutes: 20
1053 run: |
1054 set -o pipefail
1055 touch /tmp/gh-aw/agent-step-summary.md
1056 # shellcheck disable=SC1003
1057 sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,telemetry.enterprise.githubcopilot.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --image-tag 0.25.6 --skip-pull --enable-api-proxy \
1058 -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
1059 env:
1060 COPILOT_AGENT_RUNNER_TYPE: STANDALONE
1061 COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
1062 COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }}
1063 GH_AW_PHASE: detection
1064 GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
1065 GH_AW_VERSION: v0.65.4
1066 GITHUB_API_URL: ${{ github.api_url }}
1067 GITHUB_AW: true
1068 GITHUB_HEAD_REF: ${{ github.head_ref }}
1069 GITHUB_REF_NAME: ${{ github.ref_name }}
1070 GITHUB_SERVER_URL: ${{ github.server_url }}
1071 GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
1072 GITHUB_WORKSPACE: ${{ github.workspace }}
1073 GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
1074 GIT_AUTHOR_NAME: github-actions[bot]
1075 GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
1076 GIT_COMMITTER_NAME: github-actions[bot]
1077 XDG_CONFIG_HOME: /home/runner
1078 - name: Upload threat detection log
1079 if: always() && steps.detection_guard.outputs.run_detection == 'true'
1080 uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4.4.3
1081 with:
1082 name: detection
1083 path: /tmp/gh-aw/threat-detection/detection.log
1084 if-no-files-found: ignore
1085 - name: Parse and conclude threat detection
1086 id: detection_conclusion
1087 if: always()
1088 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
1089 env:
1090 RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }}
1091 with:
1092 script: |
1093 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
1094 setupGlobals(core, github, context, exec, io);
1095 const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_threat_detection_results.cjs');
1096 await main();
1097
1098 pre_activation:
1099 if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id
1100 runs-on: ubuntu-slim
1101 outputs:
1102 activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
1103 matched_command: ''
1104 steps:
1105 - name: Setup Scripts
1106 uses: github/gh-aw-actions/setup@536ea1bad8c6715d098a9dc1afea8d403733acfe # v0.65.6
1107 with:
1108 destination: ${{ runner.temp }}/gh-aw/actions
1109 - name: Check team membership for workflow
1110 id: check_membership
1111 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
1112 env:
1113 GH_AW_REQUIRED_ROLES: "admin,maintainer,write"
1114 with:
1115 github-token: ${{ secrets.GITHUB_TOKEN }}
1116 script: |
1117 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
1118 setupGlobals(core, github, context, exec, io);
1119 const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs');
1120 await main();
1121
1122 safe_outputs:
1123 needs:
1124 - agent
1125 - detection
1126 if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
1127 runs-on: ubuntu-slim
1128 permissions:
1129 contents: read
1130 discussions: write
1131 issues: write
1132 pull-requests: write
1133 timeout-minutes: 15
1134 env:
1135 GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/dependency-pr-review"
1136 GH_AW_ENGINE_ID: "copilot"
1137 GH_AW_ENGINE_MODEL: ${{ needs.agent.outputs.model }}
1138 GH_AW_WORKFLOW_ID: "dependency-pr-review"
1139 GH_AW_WORKFLOW_NAME: "Dependabot PR Review"
1140 outputs:
1141 code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
1142 code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
1143 comment_id: ${{ steps.process_safe_outputs.outputs.comment_id }}
1144 comment_url: ${{ steps.process_safe_outputs.outputs.comment_url }}
1145 create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }}
1146 create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }}
1147 process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }}
1148 process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
1149 steps:
1150 - name: Setup Scripts
1151 uses: github/gh-aw-actions/setup@536ea1bad8c6715d098a9dc1afea8d403733acfe # v0.65.6
1152 with:
1153 destination: ${{ runner.temp }}/gh-aw/actions
1154 - name: Download agent output artifact
1155 id: download-agent-output
1156 continue-on-error: true
1157 uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
1158 with:
1159 name: agent
1160 path: /tmp/gh-aw/
1161 - name: Setup agent output environment variable
1162 id: setup-agent-output-env
1163 if: steps.download-agent-output.outcome == 'success'
1164 run: |
1165 mkdir -p /tmp/gh-aw/
1166 find "/tmp/gh-aw/" -type f -print
1167 echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
1168 - name: Configure GH_HOST for enterprise compatibility
1169 id: ghes-host-config
1170 shell: bash
1171 run: |
1172 # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
1173 # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
1174 GH_HOST="${GITHUB_SERVER_URL#https://}"
1175 GH_HOST="${GH_HOST#http://}"
1176 echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
1177 - name: Process Safe Outputs
1178 id: process_safe_outputs
1179 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
1180 env:
1181 GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
1182 GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com"
1183 GITHUB_SERVER_URL: ${{ github.server_url }}
1184 GITHUB_API_URL: ${{ github.api_url }}
1185 GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":2,\"target\":\"triggering\"},\"create_pull_request_review_comment\":{\"max\":5,\"side\":\"RIGHT\"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"submit_pull_request_review\":{\"max\":1}}"
1186 with:
1187 github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
1188 script: |
1189 const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
1190 setupGlobals(core, github, context, exec, io);
1191 const { main } = require('${{ runner.temp }}/gh-aw/actions/safe_output_handler_manager.cjs');
1192 await main();
1193 - name: Upload Safe Output Items
1194 if: always()
1195 uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4.4.3
1196 with:
1197 name: safe-output-items
1198 path: /tmp/gh-aw/safe-output-items.jsonl
1199 if-no-files-found: ignore
1200
1201