From c0ce5a98e12fe48b43a599f1f1819e51d08c26f2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Oct 2025 17:37:04 +0000 Subject: [PATCH 1/5] Initial plan From 056d1c6e6acf9f7eeff38977c795c2a97619754f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Oct 2025 17:42:23 +0000 Subject: [PATCH 2/5] Initial exploration of strict mode requirements for agentic workflows Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/cli-version-checker.lock.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index a83c4801367..56da9b2f4e8 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1025,7 +1025,7 @@ jobs: - **Document Changes**: Include detailed information in the PR description - **Test First**: The recompile step will catch obvious issues - **Security Focused**: Prioritize security updates - - **DO NOT COMMIT *.lock.yml files directly**. These files will be reconstructed by another action. + - **DO NOT COMMIT `*.lock.yml` and `pkg/workflow/js/*.js` files directly**. These files will be reconstructed by another action. ## PR Description Template @@ -2736,7 +2736,7 @@ jobs: AGENT_OUTPUT: ${{ needs.agent.outputs.output }} WORKFLOW_NAME: "CLI Version Checker" WORKFLOW_DESCRIPTION: "No description provided" - WORKFLOW_MARKDOWN: "# CLI Version Checker\n\nYou are the CLI Version Checker agent, responsible for monitoring updates to the agentic CLI tools used in this project and proposing updates when new versions are available.\n\n## Mission\n\nCheck for new versions of the following agentic CLIs daily:\n1. **Claude Code** (`@anthropic-ai/claude-code`)\n2. **GitHub Copilot CLI** (`@github/copilot`)\n3. **OpenAI Codex** (`@openai/codex`)\n\nWhen updates are found, update the default versions in the codebase and create a pull request.\n\n## Current Context\n\n- **Repository**: ${{ github.repository }}\n- **Triggered**: Scheduled daily check\n- **Run ID**: ${{ github.run_id }}\n\n## Checking Process\n\n### Phase 1: Check Claude Code Version\n\n1. **Fetch NPM Registry Data**:\n - Use web-fetch to get the latest version from `https://registry.npmjs.org/@anthropic-ai/claude-code/latest`\n - Extract the `version` field from the JSON response\n \n2. **Check Current Version**:\n - Read `/home/runner/work/gh-aw/gh-aw/pkg/constants/constants.go`\n - Find the current `DefaultClaudeCodeVersion` constant value\n\n3. **Compare Versions**:\n - If the NPM version is newer than the current version, mark Claude for update\n\n4. **Review Changelog (if update available)**:\n - Fetch the changelog from NPM package metadata\n - Look for breaking changes, important features, or security fixes\n - Note any changes that might affect our usage\n\n### Phase 2: Check GitHub Copilot CLI Version\n\n1. **Fetch NPM Registry Data**:\n - Use web-fetch to get the latest version from `https://registry.npmjs.org/@github/copilot/latest`\n - Extract the `version` field from the JSON response\n\n2. **Review Changelog**:\n - Check the GitHub repository at `https://github.com/github/copilot-cli` for changelog\n - Look at recent releases or changelog.md\n - Note any breaking changes or important updates\n\n3. **Determine Update Strategy**:\n - Since Copilot uses \"latest\" by default, note the current available version\n - Document any important changes in the PR description\n\n### Phase 3: Check OpenAI Codex Version\n\n1. **Fetch NPM Registry Data**:\n - Use web-fetch to get the latest version from `https://registry.npmjs.org/@openai/codex/latest`\n - Extract the `version` field from the JSON response\n\n2. **Review Releases**:\n - Check GitHub releases at `https://github.com/openai/codex/releases` using web-fetch\n - Note any breaking changes or important updates\n\n3. **Determine Update Strategy**:\n - Since Codex uses \"latest\" by default, note the current available version\n - Document any important changes in the PR description\n\n### Phase 4: Update Code If Needed\n\nIf any CLI has a newer version available:\n\n1. **Update Constants File**:\n - Edit `/home/runner/work/gh-aw/gh-aw/pkg/constants/constants.go`\n - Update `DefaultClaudeCodeVersion` to the new version if Claude has an update\n - Use the `Edit` tool to make surgical changes to the constant value\n\n2. **Recompile Workflows**:\n - Run `make recompile` to ensure all workflows are updated with the new version\n - This ensures the compiled `.lock.yml` files reflect the version change\n\n3. **Verify Changes**:\n - Run `git status` to see what files changed\n - Verify that only expected files were modified\n\n### Phase 5: Create Pull Request\n\nIf updates were made:\n\n1. **Prepare PR Description**:\n - Title: \"[auto] Update agentic CLI versions\"\n - Description should include:\n - Which CLIs were updated and to what versions\n - Summary of important changes from changelogs\n - Any breaking changes or migration notes\n - Link to changelogs for each updated CLI\n\n2. **Create PR Using Safe Outputs**:\n - Use the safe-outputs create-pull-request mechanism\n - The PR will be created automatically with your changes\n\n## Important Guidelines\n\n- **Be Conservative**: Only update if the new version is stable (not pre-release)\n- **Check Compatibility**: Review changelogs for breaking changes\n- **Document Changes**: Include detailed information in the PR description\n- **Test First**: The recompile step will catch obvious issues\n- **Security Focused**: Prioritize security updates\n- **DO NOT COMMIT *.lock.yml files directly**. These files will be reconstructed by another action.\n\n## PR Description Template\n\nUse this template when creating the PR:\n\n```markdown\n# Update Agentic CLI Versions\n\nThis automated PR updates the default versions for agentic CLIs used in gh-aw.\n\n## Changes\n\n### Claude Code\n- **Previous Version**: [old version]\n- **New Version**: [new version]\n- **Changelog**: [link to changelog or key changes]\n\n### GitHub Copilot CLI\n- **Current Available**: [version]\n- **Changelog**: [link to changelog or key changes]\n- **Note**: Uses \"latest\" tag by default\n\n### OpenAI Codex\n- **Current Available**: [version]\n- **Releases**: [link to releases or key changes]\n- **Note**: Uses \"latest\" tag by default\n\n## Migration Notes\n\n[Any breaking changes or important updates users should be aware of]\n\n## Testing\n\n- [x] Workflows recompiled successfully with `make recompile`\n- [x] Constants file updated\n- [ ] Manual testing recommended before merge\n\n## References\n\n- Claude NPM: https://www.npmjs.com/package/@anthropic-ai/claude-code\n- Copilot NPM: https://www.npmjs.com/package/@github/copilot\n- Codex NPM: https://www.npmjs.com/package/@openai/codex\n```\n\n## Error Handling\n\n- If NPM registry is unavailable, retry once after 30 seconds\n- If changelog fetch fails, proceed with version update but note in PR\n- If recompile fails, do NOT create PR - log the error\n- If no updates are available, exit successfully without creating PR\n\n## Security Notes\n\n- Never execute code from external sources\n- Only fetch data from trusted NPM registry and official GitHub repos\n- Validate version strings match semver format before updating\n- Review changelogs for security-related updates\n" + WORKFLOW_MARKDOWN: "# CLI Version Checker\n\nYou are the CLI Version Checker agent, responsible for monitoring updates to the agentic CLI tools used in this project and proposing updates when new versions are available.\n\n## Mission\n\nCheck for new versions of the following agentic CLIs daily:\n1. **Claude Code** (`@anthropic-ai/claude-code`)\n2. **GitHub Copilot CLI** (`@github/copilot`)\n3. **OpenAI Codex** (`@openai/codex`)\n\nWhen updates are found, update the default versions in the codebase and create a pull request.\n\n## Current Context\n\n- **Repository**: ${{ github.repository }}\n- **Triggered**: Scheduled daily check\n- **Run ID**: ${{ github.run_id }}\n\n## Checking Process\n\n### Phase 1: Check Claude Code Version\n\n1. **Fetch NPM Registry Data**:\n - Use web-fetch to get the latest version from `https://registry.npmjs.org/@anthropic-ai/claude-code/latest`\n - Extract the `version` field from the JSON response\n \n2. **Check Current Version**:\n - Read `/home/runner/work/gh-aw/gh-aw/pkg/constants/constants.go`\n - Find the current `DefaultClaudeCodeVersion` constant value\n\n3. **Compare Versions**:\n - If the NPM version is newer than the current version, mark Claude for update\n\n4. **Review Changelog (if update available)**:\n - Fetch the changelog from NPM package metadata\n - Look for breaking changes, important features, or security fixes\n - Note any changes that might affect our usage\n\n### Phase 2: Check GitHub Copilot CLI Version\n\n1. **Fetch NPM Registry Data**:\n - Use web-fetch to get the latest version from `https://registry.npmjs.org/@github/copilot/latest`\n - Extract the `version` field from the JSON response\n\n2. **Review Changelog**:\n - Check the GitHub repository at `https://github.com/github/copilot-cli` for changelog\n - Look at recent releases or changelog.md\n - Note any breaking changes or important updates\n\n3. **Determine Update Strategy**:\n - Since Copilot uses \"latest\" by default, note the current available version\n - Document any important changes in the PR description\n\n### Phase 3: Check OpenAI Codex Version\n\n1. **Fetch NPM Registry Data**:\n - Use web-fetch to get the latest version from `https://registry.npmjs.org/@openai/codex/latest`\n - Extract the `version` field from the JSON response\n\n2. **Review Releases**:\n - Check GitHub releases at `https://github.com/openai/codex/releases` using web-fetch\n - Note any breaking changes or important updates\n\n3. **Determine Update Strategy**:\n - Since Codex uses \"latest\" by default, note the current available version\n - Document any important changes in the PR description\n\n### Phase 4: Update Code If Needed\n\nIf any CLI has a newer version available:\n\n1. **Update Constants File**:\n - Edit `/home/runner/work/gh-aw/gh-aw/pkg/constants/constants.go`\n - Update `DefaultClaudeCodeVersion` to the new version if Claude has an update\n - Use the `Edit` tool to make surgical changes to the constant value\n\n2. **Recompile Workflows**:\n - Run `make recompile` to ensure all workflows are updated with the new version\n - This ensures the compiled `.lock.yml` files reflect the version change\n\n3. **Verify Changes**:\n - Run `git status` to see what files changed\n - Verify that only expected files were modified\n\n### Phase 5: Create Pull Request\n\nIf updates were made:\n\n1. **Prepare PR Description**:\n - Title: \"[auto] Update agentic CLI versions\"\n - Description should include:\n - Which CLIs were updated and to what versions\n - Summary of important changes from changelogs\n - Any breaking changes or migration notes\n - Link to changelogs for each updated CLI\n\n2. **Create PR Using Safe Outputs**:\n - Use the safe-outputs create-pull-request mechanism\n - The PR will be created automatically with your changes\n\n## Important Guidelines\n\n- **Be Conservative**: Only update if the new version is stable (not pre-release)\n- **Check Compatibility**: Review changelogs for breaking changes\n- **Document Changes**: Include detailed information in the PR description\n- **Test First**: The recompile step will catch obvious issues\n- **Security Focused**: Prioritize security updates\n- **DO NOT COMMIT `*.lock.yml` and `pkg/workflow/js/*.js` files directly**. These files will be reconstructed by another action.\n\n## PR Description Template\n\nUse this template when creating the PR:\n\n```markdown\n# Update Agentic CLI Versions\n\nThis automated PR updates the default versions for agentic CLIs used in gh-aw.\n\n## Changes\n\n### Claude Code\n- **Previous Version**: [old version]\n- **New Version**: [new version]\n- **Changelog**: [link to changelog or key changes]\n\n### GitHub Copilot CLI\n- **Current Available**: [version]\n- **Changelog**: [link to changelog or key changes]\n- **Note**: Uses \"latest\" tag by default\n\n### OpenAI Codex\n- **Current Available**: [version]\n- **Releases**: [link to releases or key changes]\n- **Note**: Uses \"latest\" tag by default\n\n## Migration Notes\n\n[Any breaking changes or important updates users should be aware of]\n\n## Testing\n\n- [x] Workflows recompiled successfully with `make recompile`\n- [x] Constants file updated\n- [ ] Manual testing recommended before merge\n\n## References\n\n- Claude NPM: https://www.npmjs.com/package/@anthropic-ai/claude-code\n- Copilot NPM: https://www.npmjs.com/package/@github/copilot\n- Codex NPM: https://www.npmjs.com/package/@openai/codex\n```\n\n## Error Handling\n\n- If NPM registry is unavailable, retry once after 30 seconds\n- If changelog fetch fails, proceed with version update but note in PR\n- If recompile fails, do NOT create PR - log the error\n- If no updates are available, exit successfully without creating PR\n\n## Security Notes\n\n- Never execute code from external sources\n- Only fetch data from trusted NPM registry and official GitHub repos\n- Validate version strings match semver format before updating\n- Review changelogs for security-related updates\n" with: script: | const fs = require('fs'); @@ -2938,9 +2938,9 @@ jobs: GITHUB_AW_WORKFLOW_ID: "agent" GITHUB_AW_WORKFLOW_NAME: "CLI Version Checker" GITHUB_AW_BASE_BRANCH: ${{ github.ref_name }} - GITHUB_AW_PR_TITLE_PREFIX: "[auto] " + GITHUB_AW_PR_TITLE_PREFIX: "[ca] " GITHUB_AW_PR_LABELS: "automation,dependencies" - GITHUB_AW_PR_DRAFT: "false" + GITHUB_AW_PR_DRAFT: "true" GITHUB_AW_PR_IF_NO_CHANGES: "warn" GITHUB_AW_MAX_PATCH_SIZE: 1024 with: From 9abb0405ef546e28946e0e07e4ddade5ba046588 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Oct 2025 17:48:42 +0000 Subject: [PATCH 3/5] Add strict: true to all agentic workflows and fix strict mode violations - Added strict: true to all 15 workflow files in .github/workflows/ - Fixed dev.md: added timeout_minutes: 10 - Fixed notion-issue-summary.md: added timeout_minutes: 10 - Fixed duplicate-code-detector.md: added network configuration to serena MCP server - All workflows now compile successfully with --strict flag - All unit tests pass Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/artifacts-summary.md | 1 + .github/workflows/changeset-generator.md | 1 + .github/workflows/ci-doctor.md | 1 + .github/workflows/cli-version-checker.md | 1 + .github/workflows/dev.lock.yml | 2 +- .github/workflows/dev.md | 2 + .../duplicate-code-detector.lock.yml | 149 ++++++++++++++++++ .github/workflows/duplicate-code-detector.md | 4 + .github/workflows/go-pattern-detector.md | 1 + .github/workflows/issue-classifier.md | 1 + .../workflows/notion-issue-summary.lock.yml | 2 +- .github/workflows/notion-issue-summary.md | 2 + .github/workflows/pdf-summary.md | 1 + .github/workflows/poem-bot.md | 1 + .github/workflows/scout.md | 1 + .github/workflows/technical-doc-writer.md | 1 + .github/workflows/tidy.md | 1 + 17 files changed, 170 insertions(+), 2 deletions(-) diff --git a/.github/workflows/artifacts-summary.md b/.github/workflows/artifacts-summary.md index 86fbc78e7e4..b9477035a2b 100644 --- a/.github/workflows/artifacts-summary.md +++ b/.github/workflows/artifacts-summary.md @@ -19,6 +19,7 @@ safe-outputs: labels: [automation, artifacts, report] max: 1 timeout_minutes: 15 +strict: true --- # GitHub Actions Artifacts Usage Summary diff --git a/.github/workflows/changeset-generator.md b/.github/workflows/changeset-generator.md index 5e8faf7dc2c..0908f5b9f1b 100644 --- a/.github/workflows/changeset-generator.md +++ b/.github/workflows/changeset-generator.md @@ -10,6 +10,7 @@ engine: claude safe-outputs: push-to-pull-request-branch: timeout_minutes: 10 +strict: true --- # Changeset Generator diff --git a/.github/workflows/ci-doctor.md b/.github/workflows/ci-doctor.md index 8045d9cb57d..6e157560aab 100644 --- a/.github/workflows/ci-doctor.md +++ b/.github/workflows/ci-doctor.md @@ -20,6 +20,7 @@ tools: cache-memory: true web-fetch: null web-search: null +strict: true --- # CI Failure Doctor diff --git a/.github/workflows/cli-version-checker.md b/.github/workflows/cli-version-checker.md index 2283409beeb..5925a28b749 100644 --- a/.github/workflows/cli-version-checker.md +++ b/.github/workflows/cli-version-checker.md @@ -24,6 +24,7 @@ safe-outputs: labels: [automation, dependencies] draft: true timeout_minutes: 15 +strict: true --- # CLI Version Checker diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index b105be24dfe..d43bb0229b0 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -1161,7 +1161,7 @@ jobs: # - mcp__github__search_pull_requests # - mcp__github__search_repositories # - mcp__github__search_users - timeout-minutes: 5 + timeout-minutes: 10 run: | set -o pipefail # Execute Claude Code CLI with prompt from file diff --git a/.github/workflows/dev.md b/.github/workflows/dev.md index c891e56a006..7698ffcf1d1 100644 --- a/.github/workflows/dev.md +++ b/.github/workflows/dev.md @@ -16,6 +16,8 @@ engine: claude safe-outputs: staged: true create-issue: +timeout_minutes: 10 +strict: true --- # Poem Generator diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 932e6b6ad33..eea17cf81a2 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -139,6 +139,138 @@ jobs: node-version: '24' - name: Install GitHub Copilot CLI run: npm install -g @github/copilot@latest + - name: Setup Proxy Configuration for MCP Network Restrictions + run: | + echo "Generating proxy configuration files for MCP tools with network restrictions..." + + # Generate Squid proxy configuration + cat > squid.conf << 'EOF' + # Squid configuration for egress traffic control + # This configuration implements a allow-list-based proxy + + # Access log and cache configuration + access_log /var/log/squid/access.log squid + cache_log /var/log/squid/cache.log + cache deny all + + # Port configuration + http_port 3128 + + # ACL definitions for allowed domains + acl allowed_domains dstdomain "/etc/squid/allowed_domains.txt" + acl localnet src 10.0.0.0/8 + acl localnet src 172.16.0.0/12 + acl localnet src 192.168.0.0/16 + acl SSL_ports port 443 + acl Safe_ports port 80 + acl Safe_ports port 443 + acl CONNECT method CONNECT + + # Access rules + # Deny requests to unknown domains (not in allow-list) + http_access deny !allowed_domains + http_access deny !Safe_ports + http_access deny CONNECT !SSL_ports + http_access allow localnet + http_access deny all + + # Disable caching + cache deny all + + # DNS settings + dns_nameservers 8.8.8.8 8.8.4.4 + + # Forwarded headers + forwarded_for delete + via off + + # Error page customization + error_directory /usr/share/squid/errors/English + + # Logging + logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh + access_log /var/log/squid/access.log combined + + # Memory and file descriptor limits + cache_mem 64 MB + maximum_object_size 0 KB + EOF + + # Generate allowed domains file + cat > allowed_domains.txt << 'EOF' + # Allowed domains for egress traffic + # Add one domain per line + github.com + + EOF + + # Generate Docker Compose configuration for serena + cat > docker-compose-serena.yml << 'EOF' + services: + squid-proxy: + image: ubuntu/squid:latest + container_name: squid-proxy-serena + ports: + - "3128:3128" + volumes: + - ./squid.conf:/etc/squid/squid.conf:ro + - ./allowed_domains.txt:/etc/squid/allowed_domains.txt:ro + - squid-logs:/var/log/squid + healthcheck: + test: ["CMD", "squid", "-k", "check"] + interval: 30s + timeout: 10s + retries: 3 + restart: unless-stopped + networks: + awproxy-serena: + ipv4_address: 172.28.198.10 + + serena: + image: ghcr.io/oraios/serena:latest + container_name: serena-mcp + stdin_open: true + tty: true + environment: + - PROXY_HOST=squid-proxy + - PROXY_PORT=3128 + - HTTP_PROXY=http://squid-proxy:3128 + - HTTPS_PROXY=http://squid-proxy:3128 + networks: + - awproxy-serena + - SERENA_PORT=9121 + - SERENA_DASHBOARD_PORT=24282 + - SERENA_DOCKER=1 + depends_on: + squid-proxy: + condition: service_healthy + + volumes: + squid-logs: + + networks: + awproxy-serena: + driver: bridge + ipam: + config: + - subnet: 172.28.198.0/24 + + EOF + + echo "Proxy configuration files generated." + - name: Pre-pull images and start Squid proxy + run: | + set -e + echo 'Pre-pulling Docker images for proxy-enabled MCP tools...' + docker pull ubuntu/squid:latest + echo 'Starting squid-proxy service for serena' + docker compose -f docker-compose-serena.yml up -d squid-proxy + echo 'Enforcing egress to proxy for serena (subnet 172.28.198.0/24, squid 172.28.198.10)' + if command -v sudo >/dev/null 2>&1; then SUDO=sudo; else SUDO=; fi + $SUDO iptables -C DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || $SUDO iptables -I DOCKER-USER 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + $SUDO iptables -C DOCKER-USER -s 172.28.198.10 -j ACCEPT 2>/dev/null || $SUDO iptables -I DOCKER-USER 2 -s 172.28.198.10 -j ACCEPT + $SUDO iptables -C DOCKER-USER -s 172.28.198.0/24 -d 172.28.198.10 -p tcp --dport 3128 -j ACCEPT 2>/dev/null || $SUDO iptables -I DOCKER-USER 3 -s 172.28.198.0/24 -d 172.28.198.10 -p tcp --dport 3128 -j ACCEPT + $SUDO iptables -C DOCKER-USER -s 172.28.198.0/24 -j REJECT 2>/dev/null || $SUDO iptables -A DOCKER-USER -s 172.28.198.0/24 -j REJECT - name: Setup Safe Outputs Collector MCP run: | mkdir -p /tmp/safe-outputs @@ -2045,6 +2177,23 @@ jobs: path: | /tmp/.copilot/logs/ if-no-files-found: ignore + - name: Extract squid access logs + if: always() + run: | + mkdir -p /tmp/access-logs + echo 'Extracting access.log from squid-proxy-serena container' + if docker ps -a --format '{{.Names}}' | grep -q '^squid-proxy-serena$'; then + docker cp squid-proxy-serena:/var/log/squid/access.log /tmp/access-logs/access-serena.log 2>/dev/null || echo 'No access.log found for serena' + else + echo 'Container squid-proxy-serena not found' + fi + - name: Upload squid access logs + if: always() + uses: actions/upload-artifact@v4 + with: + name: access.log + path: /tmp/access-logs/ + if-no-files-found: warn - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/.github/workflows/duplicate-code-detector.md b/.github/workflows/duplicate-code-detector.md index 7c56badb6cf..7b8f8a0b2bd 100644 --- a/.github/workflows/duplicate-code-detector.md +++ b/.github/workflows/duplicate-code-detector.md @@ -24,6 +24,9 @@ mcp-servers: SERENA_DOCKER: "1" SERENA_PORT: "9121" SERENA_DASHBOARD_PORT: "24282" + network: + allowed: + - "github.com" allowed: - activate_project - find_symbol @@ -38,6 +41,7 @@ safe-outputs: title-prefix: "[duplicate-code] " labels: [code-quality, automated-analysis] timeout_minutes: 15 +strict: true --- # Duplicate Code Detection Agent diff --git a/.github/workflows/go-pattern-detector.md b/.github/workflows/go-pattern-detector.md index 09e68e366ae..7fe733bac22 100644 --- a/.github/workflows/go-pattern-detector.md +++ b/.github/workflows/go-pattern-detector.md @@ -22,6 +22,7 @@ safe-outputs: title-prefix: "[ast-grep] " labels: [code-quality, ast-grep] max: 1 +strict: true --- # Go Code Pattern Detector diff --git a/.github/workflows/issue-classifier.md b/.github/workflows/issue-classifier.md index 756931cefb6..d3ded2568fd 100644 --- a/.github/workflows/issue-classifier.md +++ b/.github/workflows/issue-classifier.md @@ -15,6 +15,7 @@ safe-outputs: timeout_minutes: 5 imports: - shared/actions-ai-inference.md +strict: true --- # Issue Classification diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index b1d6d1272b6..d7a34555e3f 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -1322,7 +1322,7 @@ jobs: # - mcp__notion__get_page # - mcp__notion__query_database # - mcp__notion__search_pages - timeout-minutes: 5 + timeout-minutes: 10 run: | set -o pipefail # Execute Claude Code CLI with prompt from file diff --git a/.github/workflows/notion-issue-summary.md b/.github/workflows/notion-issue-summary.md index 98f91ef7ffe..23e354916f7 100644 --- a/.github/workflows/notion-issue-summary.md +++ b/.github/workflows/notion-issue-summary.md @@ -14,6 +14,8 @@ permissions: engine: claude imports: - shared/notion.md +timeout_minutes: 10 +strict: true --- # Issue Summary to Notion diff --git a/.github/workflows/pdf-summary.md b/.github/workflows/pdf-summary.md index 04aea825e52..758733689af 100644 --- a/.github/workflows/pdf-summary.md +++ b/.github/workflows/pdf-summary.md @@ -35,6 +35,7 @@ safe-outputs: max: 1 timeout_minutes: 15 +strict: true --- # Resource Summarizer Agent diff --git a/.github/workflows/poem-bot.md b/.github/workflows/poem-bot.md index c8967f54982..028f886ea4c 100644 --- a/.github/workflows/poem-bot.md +++ b/.github/workflows/poem-bot.md @@ -96,6 +96,7 @@ safe-outputs: # Global timeout timeout_minutes: 10 +strict: true --- # Poem Bot - A Creative Agentic Workflow diff --git a/.github/workflows/scout.md b/.github/workflows/scout.md index 7c5b2902080..48ee3fe59c3 100644 --- a/.github/workflows/scout.md +++ b/.github/workflows/scout.md @@ -24,6 +24,7 @@ safe-outputs: add-comment: max: 1 timeout_minutes: 10 +strict: true --- # Scout Deep Research Agent diff --git a/.github/workflows/technical-doc-writer.md b/.github/workflows/technical-doc-writer.md index 6c9b88d875a..98f08d88e66 100644 --- a/.github/workflows/technical-doc-writer.md +++ b/.github/workflows/technical-doc-writer.md @@ -61,6 +61,7 @@ tools: - "npm run*" timeout_minutes: 10 +strict: true --- diff --git a/.github/workflows/tidy.md b/.github/workflows/tidy.md index 87f3fd5dfc9..000b73d1c3c 100644 --- a/.github/workflows/tidy.md +++ b/.github/workflows/tidy.md @@ -52,6 +52,7 @@ steps: cache: true - name: Dev dependencies run: make deps-dev +strict: true --- # Code Tidying Agent From 8b79ca0a5e6b5eefb3722aecb474b0f68a1fe56f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Oct 2025 17:51:15 +0000 Subject: [PATCH 4/5] Final verification: All agentic workflows now have strict: true All 15 workflows compile successfully with strict mode enabled: - 15/15 workflows have strict: true - 0 compilation errors - All tests passing Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/duplicate-code-detector.lock.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index eea17cf81a2..065bf75a3d8 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -238,9 +238,9 @@ jobs: - HTTPS_PROXY=http://squid-proxy:3128 networks: - awproxy-serena + - SERENA_DOCKER=1 - SERENA_PORT=9121 - SERENA_DASHBOARD_PORT=24282 - - SERENA_DOCKER=1 depends_on: squid-proxy: condition: service_healthy From 43e2d2a15837aac93eafc13979f1e33133150a3c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 7 Oct 2025 17:54:59 +0000 Subject: [PATCH 5/5] Enable strict mode for all agentic workflows Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/duplicate-code-detector.lock.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 065bf75a3d8..9e6d6ce131d 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -238,9 +238,9 @@ jobs: - HTTPS_PROXY=http://squid-proxy:3128 networks: - awproxy-serena + - SERENA_DASHBOARD_PORT=24282 - SERENA_DOCKER=1 - SERENA_PORT=9121 - - SERENA_DASHBOARD_PORT=24282 depends_on: squid-proxy: condition: service_healthy