From da1697f6abaeb6bb7e2b0d067e4fed8c00a9a20c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 03:56:42 +0000
Subject: [PATCH 1/3] Initial plan
From 4050d9cc72941674a266f301d727595ec4490189 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 04:04:06 +0000
Subject: [PATCH 2/3] Initial plan for OEF marker stability fix
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/947efa70-3820-4b17-b14a-a204ea8e56ef
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
.../daily-performance-summary.lock.yml | 64 +++++------
.github/workflows/daily-regulatory.lock.yml | 60 +++++------
.github/workflows/smoke-claude.lock.yml | 100 +++++++++---------
.github/workflows/smoke-copilot-arm.lock.yml | 68 ++++++------
.github/workflows/smoke-copilot.lock.yml | 68 ++++++------
5 files changed, 180 insertions(+), 180 deletions(-)
diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml
index fe62805cd05..c0577ba2631 100644
--- a/.github/workflows/daily-performance-summary.lock.yml
+++ b/.github/workflows/daily-performance-summary.lock.yml
@@ -139,15 +139,15 @@ jobs:
run: |
bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
{
- cat << 'GH_AW_PROMPT_6b58b3cca1b0ba4a_EOF'
+ cat << 'GH_AW_PROMPT_38067344b46c253b_EOF'
- GH_AW_PROMPT_6b58b3cca1b0ba4a_EOF
+ GH_AW_PROMPT_38067344b46c253b_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_6b58b3cca1b0ba4a_EOF'
+ cat << 'GH_AW_PROMPT_38067344b46c253b_EOF'
Tools: create_discussion, close_discussion(max:10), upload_asset, missing_tool, missing_data, noop
@@ -181,23 +181,23 @@ jobs:
{{/if}}
- GH_AW_PROMPT_6b58b3cca1b0ba4a_EOF
+ GH_AW_PROMPT_38067344b46c253b_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_6b58b3cca1b0ba4a_EOF'
+ cat << 'GH_AW_PROMPT_38067344b46c253b_EOF'
- GH_AW_PROMPT_6b58b3cca1b0ba4a_EOF
- cat << 'GH_AW_PROMPT_6b58b3cca1b0ba4a_EOF'
+ GH_AW_PROMPT_38067344b46c253b_EOF
+ cat << 'GH_AW_PROMPT_38067344b46c253b_EOF'
{{#runtime-import .github/workflows/shared/github-queries-mcp-script.md}}
- GH_AW_PROMPT_6b58b3cca1b0ba4a_EOF
- cat << 'GH_AW_PROMPT_6b58b3cca1b0ba4a_EOF'
+ GH_AW_PROMPT_38067344b46c253b_EOF
+ cat << 'GH_AW_PROMPT_38067344b46c253b_EOF'
{{#runtime-import .github/workflows/shared/trending-charts-simple.md}}
- GH_AW_PROMPT_6b58b3cca1b0ba4a_EOF
- cat << 'GH_AW_PROMPT_6b58b3cca1b0ba4a_EOF'
+ GH_AW_PROMPT_38067344b46c253b_EOF
+ cat << 'GH_AW_PROMPT_38067344b46c253b_EOF'
{{#runtime-import .github/workflows/shared/reporting.md}}
- GH_AW_PROMPT_6b58b3cca1b0ba4a_EOF
- cat << 'GH_AW_PROMPT_6b58b3cca1b0ba4a_EOF'
+ GH_AW_PROMPT_38067344b46c253b_EOF
+ cat << 'GH_AW_PROMPT_38067344b46c253b_EOF'
{{#runtime-import .github/workflows/daily-performance-summary.md}}
- GH_AW_PROMPT_6b58b3cca1b0ba4a_EOF
+ GH_AW_PROMPT_38067344b46c253b_EOF
} > "$GH_AW_PROMPT"
- name: Interpolate variables and render templates
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -405,12 +405,12 @@ jobs:
mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_be1687f903beb78b_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_3ee978f84cad4131_EOF'
{"close_discussion":{"max":10},"create_discussion":{"category":"audits","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"[daily performance] "},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}}
- GH_AW_SAFE_OUTPUTS_CONFIG_be1687f903beb78b_EOF
+ GH_AW_SAFE_OUTPUTS_CONFIG_3ee978f84cad4131_EOF
- name: Write Safe Outputs Tools
run: |
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_90560a8053ee3748_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_375e7c02cd63b42e_EOF'
{
"description_suffixes": {
"close_discussion": " CONSTRAINTS: Maximum 10 discussion(s) can be closed.",
@@ -420,8 +420,8 @@ jobs:
"repo_params": {},
"dynamic_tools": []
}
- GH_AW_SAFE_OUTPUTS_TOOLS_META_90560a8053ee3748_EOF
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_42f2d825c1829d5d_EOF'
+ GH_AW_SAFE_OUTPUTS_TOOLS_META_375e7c02cd63b42e_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_90e35fb6b7dcc92f_EOF'
{
"close_discussion": {
"defaultMax": 1,
@@ -543,7 +543,7 @@ jobs:
}
}
}
- GH_AW_SAFE_OUTPUTS_VALIDATION_42f2d825c1829d5d_EOF
+ GH_AW_SAFE_OUTPUTS_VALIDATION_90e35fb6b7dcc92f_EOF
node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
@@ -586,7 +586,7 @@ jobs:
- name: Setup MCP Scripts Config
run: |
mkdir -p ${RUNNER_TEMP}/gh-aw/mcp-scripts/logs
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_7df2449fd8214e49_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_8ba0c394d0418217_EOF'
{
"serverName": "mcpscripts",
"version": "1.0.0",
@@ -680,8 +680,8 @@ jobs:
}
]
}
- GH_AW_MCP_SCRIPTS_TOOLS_7df2449fd8214e49_EOF
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_d0ef02c5a059dd94_EOF'
+ GH_AW_MCP_SCRIPTS_TOOLS_8ba0c394d0418217_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_f8d39deb8dafa6df_EOF'
const path = require("path");
const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs");
const configPath = path.join(__dirname, "tools.json");
@@ -695,12 +695,12 @@ jobs:
console.error("Failed to start mcp-scripts HTTP server:", error);
process.exit(1);
});
- GH_AW_MCP_SCRIPTS_SERVER_d0ef02c5a059dd94_EOF
+ GH_AW_MCP_SCRIPTS_SERVER_f8d39deb8dafa6df_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs
- name: Setup MCP Scripts Tool Files
run: |
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_e51a40a1984b8ff7_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_7b5529d49a1b80a4_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-discussion-query
# Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -835,9 +835,9 @@ jobs:
EOF
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_e51a40a1984b8ff7_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_7b5529d49a1b80a4_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_fcaa38911cabfd25_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_69d7d799a3a0feed_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-issue-query
# Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -916,9 +916,9 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_fcaa38911cabfd25_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_69d7d799a3a0feed_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_c5911148d93f8570_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_d3618419a6ddf510_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-pr-query
# Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1003,7 +1003,7 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_c5911148d93f8570_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_d3618419a6ddf510_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh
- name: Generate MCP Scripts Server Config
@@ -1073,7 +1073,7 @@ jobs:
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.6'
mkdir -p /home/runner/.copilot
- cat << GH_AW_MCP_CONFIG_736c74be96004148_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
+ cat << GH_AW_MCP_CONFIG_1f72ae7c462ab449_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
{
"mcpServers": {
"github": {
@@ -1128,7 +1128,7 @@ jobs:
"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
}
}
- GH_AW_MCP_CONFIG_736c74be96004148_EOF
+ GH_AW_MCP_CONFIG_1f72ae7c462ab449_EOF
- name: Download activation artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml
index 7c4c165f18d..33bb905ff06 100644
--- a/.github/workflows/daily-regulatory.lock.yml
+++ b/.github/workflows/daily-regulatory.lock.yml
@@ -138,14 +138,14 @@ jobs:
run: |
bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
{
- cat << 'GH_AW_PROMPT_5af93940ba78bcf1_EOF'
+ cat << 'GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF'
- GH_AW_PROMPT_5af93940ba78bcf1_EOF
+ GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_5af93940ba78bcf1_EOF'
+ cat << 'GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF'
Tools: create_discussion, close_discussion(max:10), missing_tool, missing_data, noop
@@ -177,20 +177,20 @@ jobs:
{{/if}}
- GH_AW_PROMPT_5af93940ba78bcf1_EOF
+ GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_5af93940ba78bcf1_EOF'
+ cat << 'GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF'
- GH_AW_PROMPT_5af93940ba78bcf1_EOF
- cat << 'GH_AW_PROMPT_5af93940ba78bcf1_EOF'
+ GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF
+ cat << 'GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF'
{{#runtime-import .github/workflows/shared/github-queries-mcp-script.md}}
- GH_AW_PROMPT_5af93940ba78bcf1_EOF
- cat << 'GH_AW_PROMPT_5af93940ba78bcf1_EOF'
+ GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF
+ cat << 'GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF'
{{#runtime-import .github/workflows/shared/reporting.md}}
- GH_AW_PROMPT_5af93940ba78bcf1_EOF
- cat << 'GH_AW_PROMPT_5af93940ba78bcf1_EOF'
+ GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF
+ cat << 'GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF'
{{#runtime-import .github/workflows/daily-regulatory.md}}
- GH_AW_PROMPT_5af93940ba78bcf1_EOF
+ GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF
} > "$GH_AW_PROMPT"
- name: Interpolate variables and render templates
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -359,12 +359,12 @@ jobs:
mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_f364de580a64fe28_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_d74dbf6e56a88d45_EOF'
{"close_discussion":{"max":10},"create_discussion":{"category":"audits","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"[daily regulatory] "},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"}}
- GH_AW_SAFE_OUTPUTS_CONFIG_f364de580a64fe28_EOF
+ GH_AW_SAFE_OUTPUTS_CONFIG_d74dbf6e56a88d45_EOF
- name: Write Safe Outputs Tools
run: |
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_b140a6208cb467c8_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_4ef16bc13035e40a_EOF'
{
"description_suffixes": {
"close_discussion": " CONSTRAINTS: Maximum 10 discussion(s) can be closed.",
@@ -373,8 +373,8 @@ jobs:
"repo_params": {},
"dynamic_tools": []
}
- GH_AW_SAFE_OUTPUTS_TOOLS_META_b140a6208cb467c8_EOF
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_0a1edeeb321e59e1_EOF'
+ GH_AW_SAFE_OUTPUTS_TOOLS_META_4ef16bc13035e40a_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_ecc112e01957f0f9_EOF'
{
"close_discussion": {
"defaultMax": 1,
@@ -487,7 +487,7 @@ jobs:
}
}
}
- GH_AW_SAFE_OUTPUTS_VALIDATION_0a1edeeb321e59e1_EOF
+ GH_AW_SAFE_OUTPUTS_VALIDATION_ecc112e01957f0f9_EOF
node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
@@ -530,7 +530,7 @@ jobs:
- name: Setup MCP Scripts Config
run: |
mkdir -p ${RUNNER_TEMP}/gh-aw/mcp-scripts/logs
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_10dc75a7299cde52_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_56561f7ad7e979d8_EOF'
{
"serverName": "mcpscripts",
"version": "1.0.0",
@@ -624,8 +624,8 @@ jobs:
}
]
}
- GH_AW_MCP_SCRIPTS_TOOLS_10dc75a7299cde52_EOF
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_f6b0d5207b9a786a_EOF'
+ GH_AW_MCP_SCRIPTS_TOOLS_56561f7ad7e979d8_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_241c2274ef9b6941_EOF'
const path = require("path");
const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs");
const configPath = path.join(__dirname, "tools.json");
@@ -639,12 +639,12 @@ jobs:
console.error("Failed to start mcp-scripts HTTP server:", error);
process.exit(1);
});
- GH_AW_MCP_SCRIPTS_SERVER_f6b0d5207b9a786a_EOF
+ GH_AW_MCP_SCRIPTS_SERVER_241c2274ef9b6941_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs
- name: Setup MCP Scripts Tool Files
run: |
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_bb6b1cb0d74b1316_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_afe5f484c9577440_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-discussion-query
# Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -779,9 +779,9 @@ jobs:
EOF
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_bb6b1cb0d74b1316_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_afe5f484c9577440_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_3530c49309a264b1_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_f0f44b755abc2e98_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-issue-query
# Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -860,9 +860,9 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_3530c49309a264b1_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_f0f44b755abc2e98_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_d4c35b052a723f5a_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_d736a76a47cdc6ce_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-pr-query
# Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -947,7 +947,7 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_d4c35b052a723f5a_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_d736a76a47cdc6ce_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh
- name: Generate MCP Scripts Server Config
@@ -1014,7 +1014,7 @@ jobs:
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.6'
mkdir -p /home/runner/.copilot
- cat << GH_AW_MCP_CONFIG_eb0b0d8a8fc4aa40_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
+ cat << GH_AW_MCP_CONFIG_f5ba653e50ee8ae1_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
{
"mcpServers": {
"github": {
@@ -1069,7 +1069,7 @@ jobs:
"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
}
}
- GH_AW_MCP_CONFIG_eb0b0d8a8fc4aa40_EOF
+ GH_AW_MCP_CONFIG_f5ba653e50ee8ae1_EOF
- name: Download activation artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml
index 69e88bd44b2..e040385468c 100644
--- a/.github/workflows/smoke-claude.lock.yml
+++ b/.github/workflows/smoke-claude.lock.yml
@@ -198,9 +198,9 @@ jobs:
run: |
bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
{
- cat << 'GH_AW_PROMPT_f0adddb4add4f47d_EOF'
+ cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
- GH_AW_PROMPT_f0adddb4add4f47d_EOF
+ GH_AW_PROMPT_6b1cb95b3675cd09_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
@@ -208,12 +208,12 @@ jobs:
cat "${RUNNER_TEMP}/gh-aw/prompts/agentic_workflows_guide.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_f0adddb4add4f47d_EOF'
+ cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
Tools: add_comment(max:2), create_issue, close_pull_request, update_pull_request, create_pull_request_review_comment(max:5), submit_pull_request_review, resolve_pull_request_review_thread(max:5), add_labels, add_reviewer(max:2), push_to_pull_request_branch, missing_tool, missing_data, noop
- GH_AW_PROMPT_f0adddb4add4f47d_EOF
+ GH_AW_PROMPT_6b1cb95b3675cd09_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_push_to_pr_branch.md"
- cat << 'GH_AW_PROMPT_f0adddb4add4f47d_EOF'
+ cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
The following GitHub context information is available for this workflow:
@@ -243,12 +243,12 @@ jobs:
{{/if}}
- GH_AW_PROMPT_f0adddb4add4f47d_EOF
+ GH_AW_PROMPT_6b1cb95b3675cd09_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_f0adddb4add4f47d_EOF'
+ cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
- GH_AW_PROMPT_f0adddb4add4f47d_EOF
- cat << 'GH_AW_PROMPT_f0adddb4add4f47d_EOF'
+ GH_AW_PROMPT_6b1cb95b3675cd09_EOF
+ cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
## MCP Response Size Limits
MCP tool responses have a **25,000 token limit**. When GitHub API responses exceed this limit, workflows must retry with pagination parameters, wasting turns and tokens.
@@ -360,8 +360,8 @@ jobs:
This proactive approach eliminates retry loops and reduces token consumption.
- GH_AW_PROMPT_f0adddb4add4f47d_EOF
- cat << 'GH_AW_PROMPT_f0adddb4add4f47d_EOF'
+ GH_AW_PROMPT_6b1cb95b3675cd09_EOF
+ cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
**IMPORTANT**: Always use the `mcpscripts-gh` tool for GitHub CLI commands instead of running `gh` directly via bash. The `mcpscripts-gh` tool has proper authentication configured with `GITHUB_TOKEN`, while bash commands do not have GitHub CLI authentication by default.
**Correct**:
@@ -378,11 +378,11 @@ jobs:
```
- GH_AW_PROMPT_f0adddb4add4f47d_EOF
- cat << 'GH_AW_PROMPT_f0adddb4add4f47d_EOF'
+ GH_AW_PROMPT_6b1cb95b3675cd09_EOF
+ cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
- GH_AW_PROMPT_f0adddb4add4f47d_EOF
- cat << 'GH_AW_PROMPT_f0adddb4add4f47d_EOF'
+ GH_AW_PROMPT_6b1cb95b3675cd09_EOF
+ cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
## Report Structure Guidelines
### 1. Header Levels
@@ -452,11 +452,11 @@ jobs:
- Format run IDs as links: `[§12345](https://github.com/owner/repo/actions/runs/12345)`
- Include up to 3 most relevant run URLs at end under `**References:**`
- Do NOT add footer attribution (system adds automatically)
- GH_AW_PROMPT_f0adddb4add4f47d_EOF
- cat << 'GH_AW_PROMPT_f0adddb4add4f47d_EOF'
+ GH_AW_PROMPT_6b1cb95b3675cd09_EOF
+ cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
- GH_AW_PROMPT_f0adddb4add4f47d_EOF
- cat << 'GH_AW_PROMPT_f0adddb4add4f47d_EOF'
+ GH_AW_PROMPT_6b1cb95b3675cd09_EOF
+ cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
**IMPORTANT**: Always use the `mcpscripts-go` and `mcpscripts-make` tools for Go and Make commands instead of running them directly via bash. These mcp-script tools provide consistent execution and proper logging.
**Correct**:
@@ -475,11 +475,11 @@ jobs:
```
- GH_AW_PROMPT_f0adddb4add4f47d_EOF
- cat << 'GH_AW_PROMPT_f0adddb4add4f47d_EOF'
+ GH_AW_PROMPT_6b1cb95b3675cd09_EOF
+ cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
- GH_AW_PROMPT_f0adddb4add4f47d_EOF
- cat << 'GH_AW_PROMPT_f0adddb4add4f47d_EOF'
+ GH_AW_PROMPT_6b1cb95b3675cd09_EOF
+ cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
# Smoke Test: Claude Engine Validation.
**IMPORTANT: Keep all outputs extremely short and concise. Use single-line responses where possible. No verbose explanations.**
@@ -587,7 +587,7 @@ jobs:
{"noop": {"message": "No action needed: [brief explanation of what was analyzed and why]"}}
```
- GH_AW_PROMPT_f0adddb4add4f47d_EOF
+ GH_AW_PROMPT_6b1cb95b3675cd09_EOF
} > "$GH_AW_PROMPT"
- name: Interpolate variables and render templates
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -857,12 +857,12 @@ jobs:
mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_5568050757f14c0c_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_7409af05d1ba3e15_EOF'
{"add_comment":{"hide_older_comments":true,"max":2},"add_labels":{"allowed":["smoke-claude"]},"add_reviewer":{"max":2,"target":"*"},"close_pull_request":{"max":1,"staged":true},"create_issue":{"close_older_issues":true,"close_older_key":"smoke-claude","expires":2,"group":true,"labels":["automation","testing"],"max":1},"create_pull_request_review_comment":{"max":5,"side":"RIGHT","target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"post_slack_message":{"description":"Post a message to a fictitious Slack channel (smoke test only — no real Slack integration)","inputs":{"channel":{"default":"#general","description":"Slack channel name to post to","required":false,"type":"string"},"message":{"description":"Message text to post","required":false,"type":"string"}}},"push_to_pull_request_branch":{"if_no_changes":"warn","max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"],"staged":true,"target":"*"},"resolve_pull_request_review_thread":{"max":5},"submit_pull_request_review":{"footer":"always","max":1},"update_pull_request":{"allow_body":true,"allow_title":true,"max":1,"target":"*"}}
- GH_AW_SAFE_OUTPUTS_CONFIG_5568050757f14c0c_EOF
+ GH_AW_SAFE_OUTPUTS_CONFIG_7409af05d1ba3e15_EOF
- name: Write Safe Outputs Tools
run: |
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_79c7e2cb852c6fc1_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_d27e818ec81a42cc_EOF'
{
"description_suffixes": {
"add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.",
@@ -899,8 +899,8 @@ jobs:
}
]
}
- GH_AW_SAFE_OUTPUTS_TOOLS_META_79c7e2cb852c6fc1_EOF
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_7144ffa8067c9699_EOF'
+ GH_AW_SAFE_OUTPUTS_TOOLS_META_d27e818ec81a42cc_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_76d3267f68487b71_EOF'
{
"add_comment": {
"defaultMax": 1,
@@ -1185,7 +1185,7 @@ jobs:
"customValidation": "requiresOneOf:title,body"
}
}
- GH_AW_SAFE_OUTPUTS_VALIDATION_7144ffa8067c9699_EOF
+ GH_AW_SAFE_OUTPUTS_VALIDATION_76d3267f68487b71_EOF
node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
@@ -1228,7 +1228,7 @@ jobs:
- name: Setup MCP Scripts Config
run: |
mkdir -p ${RUNNER_TEMP}/gh-aw/mcp-scripts/logs
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_6eeaeabb42724bc3_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_e791af4a15638278_EOF'
{
"serverName": "mcpscripts",
"version": "1.0.0",
@@ -1380,8 +1380,8 @@ jobs:
}
]
}
- GH_AW_MCP_SCRIPTS_TOOLS_6eeaeabb42724bc3_EOF
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_d45e355c88925eb2_EOF'
+ GH_AW_MCP_SCRIPTS_TOOLS_e791af4a15638278_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_896ea0bea2695a3e_EOF'
const path = require("path");
const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs");
const configPath = path.join(__dirname, "tools.json");
@@ -1395,12 +1395,12 @@ jobs:
console.error("Failed to start mcp-scripts HTTP server:", error);
process.exit(1);
});
- GH_AW_MCP_SCRIPTS_SERVER_d45e355c88925eb2_EOF
+ GH_AW_MCP_SCRIPTS_SERVER_896ea0bea2695a3e_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs
- name: Setup MCP Scripts Tool Files
run: |
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_89162a9f125c394e_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_485e8ae524fbc24a_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: gh
# Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues.
@@ -1411,9 +1411,9 @@ jobs:
echo " token: ${GH_AW_GH_TOKEN:0:6}..."
GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS
- GH_AW_MCP_SCRIPTS_SH_GH_89162a9f125c394e_EOF
+ GH_AW_MCP_SCRIPTS_SH_GH_485e8ae524fbc24a_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_c176e3e500acf3ba_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_e6d883a37e846c7c_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-discussion-query
# Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1548,9 +1548,9 @@ jobs:
EOF
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_c176e3e500acf3ba_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_e6d883a37e846c7c_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_35f4e3b29a60bf29_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_6eb0b98168194ed6_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-issue-query
# Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1629,9 +1629,9 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_35f4e3b29a60bf29_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_6eb0b98168194ed6_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_0d3945970ae65781_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_3d7716c509bade7c_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-pr-query
# Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1716,9 +1716,9 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_0d3945970ae65781_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_3d7716c509bade7c_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_437cdc1305cd4f0a_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_c7efa7cea3e8fefb_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: go
# Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues.
@@ -1729,9 +1729,9 @@ jobs:
go $INPUT_ARGS
- GH_AW_MCP_SCRIPTS_SH_GO_437cdc1305cd4f0a_EOF
+ GH_AW_MCP_SCRIPTS_SH_GO_c7efa7cea3e8fefb_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/go.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_6c7c72a456284bbf_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_637c52137b19831c_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: make
# Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues.
@@ -1741,7 +1741,7 @@ jobs:
echo "make $INPUT_ARGS"
make $INPUT_ARGS
- GH_AW_MCP_SCRIPTS_SH_MAKE_6c7c72a456284bbf_EOF
+ GH_AW_MCP_SCRIPTS_SH_MAKE_637c52137b19831c_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/make.sh
- name: Generate MCP Scripts Server Config
@@ -1814,7 +1814,7 @@ jobs:
export GH_AW_ENGINE="claude"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.6'
- cat << GH_AW_MCP_CONFIG_a1fb0a5b26dd20a7_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
+ cat << GH_AW_MCP_CONFIG_20161bf861321d5e_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
{
"mcpServers": {
"agenticworkflows": {
@@ -1950,7 +1950,7 @@ jobs:
"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
}
}
- GH_AW_MCP_CONFIG_a1fb0a5b26dd20a7_EOF
+ GH_AW_MCP_CONFIG_20161bf861321d5e_EOF
- name: Download activation artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
@@ -2664,7 +2664,7 @@ jobs:
echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
- name: Setup Safe Outputs Custom Scripts
run: |
- cat > ${RUNNER_TEMP}/gh-aw/actions/safe_output_script_post_slack_message.cjs << 'GH_AW_SAFE_OUTPUT_SCRIPT_POST_SLACK_MESSAGE_16c21572b88e5f4b_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/actions/safe_output_script_post_slack_message.cjs << 'GH_AW_SAFE_OUTPUT_SCRIPT_POST_SLACK_MESSAGE_46e92fc421c40955_EOF'
// @ts-check
///
// Auto-generated safe-output script handler: post-slack-message
@@ -2684,7 +2684,7 @@ jobs:
}
module.exports = { main };
- GH_AW_SAFE_OUTPUT_SCRIPT_POST_SLACK_MESSAGE_16c21572b88e5f4b_EOF
+ GH_AW_SAFE_OUTPUT_SCRIPT_POST_SLACK_MESSAGE_46e92fc421c40955_EOF
- name: Process Safe Outputs
id: process_safe_outputs
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml
index 21eb6c35bd6..c20455ccc61 100644
--- a/.github/workflows/smoke-copilot-arm.lock.yml
+++ b/.github/workflows/smoke-copilot-arm.lock.yml
@@ -189,9 +189,9 @@ jobs:
run: |
bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
{
- cat << 'GH_AW_PROMPT_7dfdaa2092b4a0f3_EOF'
+ cat << 'GH_AW_PROMPT_c9e071e53e64b932_EOF'
- GH_AW_PROMPT_7dfdaa2092b4a0f3_EOF
+ GH_AW_PROMPT_c9e071e53e64b932_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
@@ -199,7 +199,7 @@ jobs:
cat "${RUNNER_TEMP}/gh-aw/prompts/agentic_workflows_guide.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_7dfdaa2092b4a0f3_EOF'
+ cat << 'GH_AW_PROMPT_c9e071e53e64b932_EOF'
Tools: add_comment(max:2), create_issue, create_discussion, create_pull_request_review_comment(max:5), submit_pull_request_review, add_labels, remove_labels, dispatch_workflow, missing_tool, missing_data, noop
@@ -231,23 +231,23 @@ jobs:
{{/if}}
- GH_AW_PROMPT_7dfdaa2092b4a0f3_EOF
+ GH_AW_PROMPT_c9e071e53e64b932_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_7dfdaa2092b4a0f3_EOF'
+ cat << 'GH_AW_PROMPT_c9e071e53e64b932_EOF'
- GH_AW_PROMPT_7dfdaa2092b4a0f3_EOF
- cat << 'GH_AW_PROMPT_7dfdaa2092b4a0f3_EOF'
+ GH_AW_PROMPT_c9e071e53e64b932_EOF
+ cat << 'GH_AW_PROMPT_c9e071e53e64b932_EOF'
{{#runtime-import .github/workflows/shared/gh.md}}
- GH_AW_PROMPT_7dfdaa2092b4a0f3_EOF
- cat << 'GH_AW_PROMPT_7dfdaa2092b4a0f3_EOF'
+ GH_AW_PROMPT_c9e071e53e64b932_EOF
+ cat << 'GH_AW_PROMPT_c9e071e53e64b932_EOF'
{{#runtime-import .github/workflows/shared/reporting.md}}
- GH_AW_PROMPT_7dfdaa2092b4a0f3_EOF
- cat << 'GH_AW_PROMPT_7dfdaa2092b4a0f3_EOF'
+ GH_AW_PROMPT_c9e071e53e64b932_EOF
+ cat << 'GH_AW_PROMPT_c9e071e53e64b932_EOF'
{{#runtime-import .github/workflows/shared/github-queries-mcp-script.md}}
- GH_AW_PROMPT_7dfdaa2092b4a0f3_EOF
- cat << 'GH_AW_PROMPT_7dfdaa2092b4a0f3_EOF'
+ GH_AW_PROMPT_c9e071e53e64b932_EOF
+ cat << 'GH_AW_PROMPT_c9e071e53e64b932_EOF'
{{#runtime-import .github/workflows/smoke-copilot-arm.md}}
- GH_AW_PROMPT_7dfdaa2092b4a0f3_EOF
+ GH_AW_PROMPT_c9e071e53e64b932_EOF
} > "$GH_AW_PROMPT"
- name: Interpolate variables and render templates
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -497,12 +497,12 @@ jobs:
mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_480b4dd06350523e_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_6fc7777c6de28eca_EOF'
{"add_comment":{"allowed_repos":["github/gh-aw"],"hide_older_comments":true,"max":2},"add_labels":{"allowed":["smoke-copilot-arm"],"allowed_repos":["github/gh-aw"]},"create_discussion":{"category":"announcements","close_older_discussions":true,"expires":2,"fallback_to_issue":true,"labels":["ai-generated"],"max":1},"create_issue":{"close_older_issues":true,"close_older_key":"smoke-copilot-arm","expires":2,"group":true,"labels":["automation","testing"],"max":1},"create_pull_request_review_comment":{"max":5,"side":"RIGHT"},"dispatch_workflow":{"max":1,"workflow_files":{"haiku-printer":".yml"},"workflows":["haiku-printer"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"remove_labels":{"allowed":["smoke"]},"send-slack-message":{"description":"Send a message to Slack (stub for testing)","inputs":{"message":{"description":"The message to send","required":false,"type":"string"}},"output":"Slack message stub executed!"},"submit_pull_request_review":{"max":1}}
- GH_AW_SAFE_OUTPUTS_CONFIG_480b4dd06350523e_EOF
+ GH_AW_SAFE_OUTPUTS_CONFIG_6fc7777c6de28eca_EOF
- name: Write Safe Outputs Tools
run: |
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_e1a444b0cb9633ab_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_fb7918c7c3f6c71a_EOF'
{
"description_suffixes": {
"add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.",
@@ -559,8 +559,8 @@ jobs:
}
]
}
- GH_AW_SAFE_OUTPUTS_TOOLS_META_e1a444b0cb9633ab_EOF
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_69556ba4fb62977a_EOF'
+ GH_AW_SAFE_OUTPUTS_TOOLS_META_fb7918c7c3f6c71a_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_6eee7ffbf3d09287_EOF'
{
"add_comment": {
"defaultMax": 1,
@@ -790,7 +790,7 @@ jobs:
}
}
}
- GH_AW_SAFE_OUTPUTS_VALIDATION_69556ba4fb62977a_EOF
+ GH_AW_SAFE_OUTPUTS_VALIDATION_6eee7ffbf3d09287_EOF
node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
@@ -833,7 +833,7 @@ jobs:
- name: Setup MCP Scripts Config
run: |
mkdir -p ${RUNNER_TEMP}/gh-aw/mcp-scripts/logs
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_4026188d4b08cbf8_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_b92d0dc23d43344d_EOF'
{
"serverName": "mcpscripts",
"version": "1.0.0",
@@ -949,8 +949,8 @@ jobs:
}
]
}
- GH_AW_MCP_SCRIPTS_TOOLS_4026188d4b08cbf8_EOF
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_d8c72e52e2537511_EOF'
+ GH_AW_MCP_SCRIPTS_TOOLS_b92d0dc23d43344d_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_5492aeb7669e11d4_EOF'
const path = require("path");
const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs");
const configPath = path.join(__dirname, "tools.json");
@@ -964,12 +964,12 @@ jobs:
console.error("Failed to start mcp-scripts HTTP server:", error);
process.exit(1);
});
- GH_AW_MCP_SCRIPTS_SERVER_d8c72e52e2537511_EOF
+ GH_AW_MCP_SCRIPTS_SERVER_5492aeb7669e11d4_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs
- name: Setup MCP Scripts Tool Files
run: |
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_e8da73fc43a0cd38_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_e65337f45839cd84_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: gh
# Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues.
@@ -980,9 +980,9 @@ jobs:
echo " token: ${GH_AW_GH_TOKEN:0:6}..."
GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS
- GH_AW_MCP_SCRIPTS_SH_GH_e8da73fc43a0cd38_EOF
+ GH_AW_MCP_SCRIPTS_SH_GH_e65337f45839cd84_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_c1d2707fc37cffe3_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_d6ddb942cce519e2_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-discussion-query
# Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1117,9 +1117,9 @@ jobs:
EOF
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_c1d2707fc37cffe3_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_d6ddb942cce519e2_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_82810c8c6566cda3_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_fdc45fa4cd98d4a1_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-issue-query
# Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1198,9 +1198,9 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_82810c8c6566cda3_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_fdc45fa4cd98d4a1_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_aadd05d4577a4821_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_667ad5ff0ac9f07f_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-pr-query
# Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1285,7 +1285,7 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_aadd05d4577a4821_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_667ad5ff0ac9f07f_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh
- name: Generate MCP Scripts Server Config
@@ -1358,7 +1358,7 @@ jobs:
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.6'
mkdir -p /home/runner/.copilot
- cat << GH_AW_MCP_CONFIG_d1cbc2b182d046f8_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
+ cat << GH_AW_MCP_CONFIG_38187d602986a5fc_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
{
"mcpServers": {
"agenticworkflows": {
@@ -1461,7 +1461,7 @@ jobs:
"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
}
}
- GH_AW_MCP_CONFIG_d1cbc2b182d046f8_EOF
+ GH_AW_MCP_CONFIG_38187d602986a5fc_EOF
- name: Download activation artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml
index 7fd97da4705..aab471bfcff 100644
--- a/.github/workflows/smoke-copilot.lock.yml
+++ b/.github/workflows/smoke-copilot.lock.yml
@@ -195,9 +195,9 @@ jobs:
run: |
bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
{
- cat << 'GH_AW_PROMPT_dc23dfd46efcdfcf_EOF'
+ cat << 'GH_AW_PROMPT_cb3371b468b3928c_EOF'
- GH_AW_PROMPT_dc23dfd46efcdfcf_EOF
+ GH_AW_PROMPT_cb3371b468b3928c_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
@@ -205,7 +205,7 @@ jobs:
cat "${RUNNER_TEMP}/gh-aw/prompts/agentic_workflows_guide.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_dc23dfd46efcdfcf_EOF'
+ cat << 'GH_AW_PROMPT_cb3371b468b3928c_EOF'
Tools: add_comment(max:2), create_issue, create_discussion, create_pull_request_review_comment(max:5), submit_pull_request_review, reply_to_pull_request_review_comment(max:5), add_labels, remove_labels, set_issue_type, dispatch_workflow, missing_tool, missing_data, noop
@@ -237,23 +237,23 @@ jobs:
{{/if}}
- GH_AW_PROMPT_dc23dfd46efcdfcf_EOF
+ GH_AW_PROMPT_cb3371b468b3928c_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_dc23dfd46efcdfcf_EOF'
+ cat << 'GH_AW_PROMPT_cb3371b468b3928c_EOF'
- GH_AW_PROMPT_dc23dfd46efcdfcf_EOF
- cat << 'GH_AW_PROMPT_dc23dfd46efcdfcf_EOF'
+ GH_AW_PROMPT_cb3371b468b3928c_EOF
+ cat << 'GH_AW_PROMPT_cb3371b468b3928c_EOF'
{{#runtime-import .github/workflows/shared/gh.md}}
- GH_AW_PROMPT_dc23dfd46efcdfcf_EOF
- cat << 'GH_AW_PROMPT_dc23dfd46efcdfcf_EOF'
+ GH_AW_PROMPT_cb3371b468b3928c_EOF
+ cat << 'GH_AW_PROMPT_cb3371b468b3928c_EOF'
{{#runtime-import .github/workflows/shared/reporting.md}}
- GH_AW_PROMPT_dc23dfd46efcdfcf_EOF
- cat << 'GH_AW_PROMPT_dc23dfd46efcdfcf_EOF'
+ GH_AW_PROMPT_cb3371b468b3928c_EOF
+ cat << 'GH_AW_PROMPT_cb3371b468b3928c_EOF'
{{#runtime-import .github/workflows/shared/github-queries-mcp-script.md}}
- GH_AW_PROMPT_dc23dfd46efcdfcf_EOF
- cat << 'GH_AW_PROMPT_dc23dfd46efcdfcf_EOF'
+ GH_AW_PROMPT_cb3371b468b3928c_EOF
+ cat << 'GH_AW_PROMPT_cb3371b468b3928c_EOF'
{{#runtime-import .github/workflows/smoke-copilot.md}}
- GH_AW_PROMPT_dc23dfd46efcdfcf_EOF
+ GH_AW_PROMPT_cb3371b468b3928c_EOF
} > "$GH_AW_PROMPT"
- name: Interpolate variables and render templates
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -504,12 +504,12 @@ jobs:
mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_c703130d4ecdecf0_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_4c9aab4bfc7b7d42_EOF'
{"add_comment":{"allowed_repos":["github/gh-aw"],"hide_older_comments":true,"max":2},"add_labels":{"allowed":["smoke-copilot"],"allowed_repos":["github/gh-aw"]},"create_discussion":{"category":"announcements","close_older_discussions":true,"close_older_key":"smoke-copilot","expires":2,"fallback_to_issue":true,"labels":["ai-generated"],"max":1},"create_issue":{"close_older_issues":true,"close_older_key":"smoke-copilot","expires":2,"group":true,"labels":["automation","testing"],"max":1},"create_pull_request_review_comment":{"max":5,"side":"RIGHT"},"dispatch_workflow":{"max":1,"workflow_files":{"haiku-printer":".yml"},"workflows":["haiku-printer"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"remove_labels":{"allowed":["smoke"]},"reply_to_pull_request_review_comment":{"max":5},"send-slack-message":{"description":"Send a message to Slack (stub for testing)","inputs":{"message":{"description":"The message to send","required":false,"type":"string"}},"output":"Slack message stub executed!"},"set_issue_type":{},"submit_pull_request_review":{"max":1}}
- GH_AW_SAFE_OUTPUTS_CONFIG_c703130d4ecdecf0_EOF
+ GH_AW_SAFE_OUTPUTS_CONFIG_4c9aab4bfc7b7d42_EOF
- name: Write Safe Outputs Tools
run: |
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_afbe8cc21b600768_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_a110c440d41de3e9_EOF'
{
"description_suffixes": {
"add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.",
@@ -567,8 +567,8 @@ jobs:
}
]
}
- GH_AW_SAFE_OUTPUTS_TOOLS_META_afbe8cc21b600768_EOF
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_309f8c61bc4b3a0e_EOF'
+ GH_AW_SAFE_OUTPUTS_TOOLS_META_a110c440d41de3e9_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_9e323693d2b679e9_EOF'
{
"add_comment": {
"defaultMax": 1,
@@ -838,7 +838,7 @@ jobs:
}
}
}
- GH_AW_SAFE_OUTPUTS_VALIDATION_309f8c61bc4b3a0e_EOF
+ GH_AW_SAFE_OUTPUTS_VALIDATION_9e323693d2b679e9_EOF
node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
@@ -881,7 +881,7 @@ jobs:
- name: Setup MCP Scripts Config
run: |
mkdir -p ${RUNNER_TEMP}/gh-aw/mcp-scripts/logs
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_690c99b00bd4d469_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_771497388f3a8a37_EOF'
{
"serverName": "mcpscripts",
"version": "1.0.0",
@@ -997,8 +997,8 @@ jobs:
}
]
}
- GH_AW_MCP_SCRIPTS_TOOLS_690c99b00bd4d469_EOF
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_8b7e5a66dc455f5a_EOF'
+ GH_AW_MCP_SCRIPTS_TOOLS_771497388f3a8a37_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_3092dadf7c4b705f_EOF'
const path = require("path");
const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs");
const configPath = path.join(__dirname, "tools.json");
@@ -1012,12 +1012,12 @@ jobs:
console.error("Failed to start mcp-scripts HTTP server:", error);
process.exit(1);
});
- GH_AW_MCP_SCRIPTS_SERVER_8b7e5a66dc455f5a_EOF
+ GH_AW_MCP_SCRIPTS_SERVER_3092dadf7c4b705f_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs
- name: Setup MCP Scripts Tool Files
run: |
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_d51349a7219cbd51_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_ffc4ccb8a76bcffb_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: gh
# Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues.
@@ -1028,9 +1028,9 @@ jobs:
echo " token: ${GH_AW_GH_TOKEN:0:6}..."
GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS
- GH_AW_MCP_SCRIPTS_SH_GH_d51349a7219cbd51_EOF
+ GH_AW_MCP_SCRIPTS_SH_GH_ffc4ccb8a76bcffb_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_31426f17be9922a2_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_738382de206bd0ef_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-discussion-query
# Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1165,9 +1165,9 @@ jobs:
EOF
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_31426f17be9922a2_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_738382de206bd0ef_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_ae6bd512fd413c3f_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_782bf1e5f984aa24_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-issue-query
# Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1246,9 +1246,9 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_ae6bd512fd413c3f_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_782bf1e5f984aa24_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_1e08022804337bdd_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_9e853a386695b139_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-pr-query
# Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1333,7 +1333,7 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_1e08022804337bdd_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_9e853a386695b139_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh
- name: Generate MCP Scripts Server Config
@@ -1406,7 +1406,7 @@ jobs:
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.6'
mkdir -p /home/runner/.copilot
- cat << GH_AW_MCP_CONFIG_8bd8dd48ca7368c6_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
+ cat << GH_AW_MCP_CONFIG_87d5496efb11c10e_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
{
"mcpServers": {
"agenticworkflows": {
@@ -1509,7 +1509,7 @@ jobs:
"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
}
}
- GH_AW_MCP_CONFIG_8bd8dd48ca7368c6_EOF
+ GH_AW_MCP_CONFIG_87d5496efb11c10e_EOF
- name: Download activation artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
From 8e3a7b90b35d9a76a9c6668fd5ee7186d1fadd12 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 04:23:49 +0000
Subject: [PATCH 3/3] Use frontmatter hash bytes for stable OEF marker
identifiers
Replace crypto/rand in heredoc delimiter generation with HMAC-SHA256
derived from the workflow frontmatter hash, so compiled lock files
produce identical EOF markers across repeated compilations.
- Add GenerateHeredocDelimiterFromSeed(name, seed string) using
HMAC-SHA256(key=seed, data=UPPER(name)) for injection-resistant
stable delimiters
- Add FrontmatterHash field to WorkflowData struct
- Compute frontmatter hash before buildJobsAndValidate in generateYAML
and store it on data.FrontmatterHash for use by all job builders
- Update all 11 GenerateHeredocDelimiter call sites to use the seeded
variant with workflowData.FrontmatterHash
- Update buildCustomScriptFilesStep to accept frontmatterHash parameter
- Add 5 unit tests for GenerateHeredocDelimiterFromSeed
- Recompile all 178 workflows with stable deterministic delimiters
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/947efa70-3820-4b17-b14a-a204ea8e56ef
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
.../daily-performance-summary.lock.yml | 64 +++++------
.github/workflows/daily-regulatory.lock.yml | 60 +++++------
.github/workflows/smoke-claude.lock.yml | 100 +++++++++---------
.github/workflows/smoke-copilot-arm.lock.yml | 68 ++++++------
.github/workflows/smoke-copilot.lock.yml | 68 ++++++------
pkg/workflow/codex_mcp.go | 2 +-
pkg/workflow/compiler_safe_outputs_job.go | 6 +-
pkg/workflow/compiler_types.go | 1 +
pkg/workflow/compiler_yaml.go | 18 ++--
pkg/workflow/mcp_renderer.go | 2 +-
pkg/workflow/mcp_setup_generator.go | 18 ++--
pkg/workflow/safe_scripts_test.go | 6 +-
pkg/workflow/strings.go | 35 ++++++
pkg/workflow/strings_test.go | 65 ++++++++++++
pkg/workflow/unified_prompt_step.go | 2 +-
15 files changed, 311 insertions(+), 204 deletions(-)
diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml
index c0577ba2631..8bf2bc3a5ba 100644
--- a/.github/workflows/daily-performance-summary.lock.yml
+++ b/.github/workflows/daily-performance-summary.lock.yml
@@ -139,15 +139,15 @@ jobs:
run: |
bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
{
- cat << 'GH_AW_PROMPT_38067344b46c253b_EOF'
+ cat << 'GH_AW_PROMPT_de57425ea5d8c2f0_EOF'
- GH_AW_PROMPT_38067344b46c253b_EOF
+ GH_AW_PROMPT_de57425ea5d8c2f0_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_38067344b46c253b_EOF'
+ cat << 'GH_AW_PROMPT_de57425ea5d8c2f0_EOF'
Tools: create_discussion, close_discussion(max:10), upload_asset, missing_tool, missing_data, noop
@@ -181,23 +181,23 @@ jobs:
{{/if}}
- GH_AW_PROMPT_38067344b46c253b_EOF
+ GH_AW_PROMPT_de57425ea5d8c2f0_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_38067344b46c253b_EOF'
+ cat << 'GH_AW_PROMPT_de57425ea5d8c2f0_EOF'
- GH_AW_PROMPT_38067344b46c253b_EOF
- cat << 'GH_AW_PROMPT_38067344b46c253b_EOF'
+ GH_AW_PROMPT_de57425ea5d8c2f0_EOF
+ cat << 'GH_AW_PROMPT_de57425ea5d8c2f0_EOF'
{{#runtime-import .github/workflows/shared/github-queries-mcp-script.md}}
- GH_AW_PROMPT_38067344b46c253b_EOF
- cat << 'GH_AW_PROMPT_38067344b46c253b_EOF'
+ GH_AW_PROMPT_de57425ea5d8c2f0_EOF
+ cat << 'GH_AW_PROMPT_de57425ea5d8c2f0_EOF'
{{#runtime-import .github/workflows/shared/trending-charts-simple.md}}
- GH_AW_PROMPT_38067344b46c253b_EOF
- cat << 'GH_AW_PROMPT_38067344b46c253b_EOF'
+ GH_AW_PROMPT_de57425ea5d8c2f0_EOF
+ cat << 'GH_AW_PROMPT_de57425ea5d8c2f0_EOF'
{{#runtime-import .github/workflows/shared/reporting.md}}
- GH_AW_PROMPT_38067344b46c253b_EOF
- cat << 'GH_AW_PROMPT_38067344b46c253b_EOF'
+ GH_AW_PROMPT_de57425ea5d8c2f0_EOF
+ cat << 'GH_AW_PROMPT_de57425ea5d8c2f0_EOF'
{{#runtime-import .github/workflows/daily-performance-summary.md}}
- GH_AW_PROMPT_38067344b46c253b_EOF
+ GH_AW_PROMPT_de57425ea5d8c2f0_EOF
} > "$GH_AW_PROMPT"
- name: Interpolate variables and render templates
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -405,12 +405,12 @@ jobs:
mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_3ee978f84cad4131_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_46d5f652099778b2_EOF'
{"close_discussion":{"max":10},"create_discussion":{"category":"audits","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"[daily performance] "},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg"],"branch":"assets/${{ github.workflow }}","max-size":10240}}
- GH_AW_SAFE_OUTPUTS_CONFIG_3ee978f84cad4131_EOF
+ GH_AW_SAFE_OUTPUTS_CONFIG_46d5f652099778b2_EOF
- name: Write Safe Outputs Tools
run: |
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_375e7c02cd63b42e_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_bee5d6a91cf1c2d3_EOF'
{
"description_suffixes": {
"close_discussion": " CONSTRAINTS: Maximum 10 discussion(s) can be closed.",
@@ -420,8 +420,8 @@ jobs:
"repo_params": {},
"dynamic_tools": []
}
- GH_AW_SAFE_OUTPUTS_TOOLS_META_375e7c02cd63b42e_EOF
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_90e35fb6b7dcc92f_EOF'
+ GH_AW_SAFE_OUTPUTS_TOOLS_META_bee5d6a91cf1c2d3_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_f6b4c61ccd3859e3_EOF'
{
"close_discussion": {
"defaultMax": 1,
@@ -543,7 +543,7 @@ jobs:
}
}
}
- GH_AW_SAFE_OUTPUTS_VALIDATION_90e35fb6b7dcc92f_EOF
+ GH_AW_SAFE_OUTPUTS_VALIDATION_f6b4c61ccd3859e3_EOF
node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
@@ -586,7 +586,7 @@ jobs:
- name: Setup MCP Scripts Config
run: |
mkdir -p ${RUNNER_TEMP}/gh-aw/mcp-scripts/logs
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_8ba0c394d0418217_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_1b007676f0a21fc5_EOF'
{
"serverName": "mcpscripts",
"version": "1.0.0",
@@ -680,8 +680,8 @@ jobs:
}
]
}
- GH_AW_MCP_SCRIPTS_TOOLS_8ba0c394d0418217_EOF
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_f8d39deb8dafa6df_EOF'
+ GH_AW_MCP_SCRIPTS_TOOLS_1b007676f0a21fc5_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_b8a177def14e52f1_EOF'
const path = require("path");
const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs");
const configPath = path.join(__dirname, "tools.json");
@@ -695,12 +695,12 @@ jobs:
console.error("Failed to start mcp-scripts HTTP server:", error);
process.exit(1);
});
- GH_AW_MCP_SCRIPTS_SERVER_f8d39deb8dafa6df_EOF
+ GH_AW_MCP_SCRIPTS_SERVER_b8a177def14e52f1_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs
- name: Setup MCP Scripts Tool Files
run: |
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_7b5529d49a1b80a4_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_3578e8b5f053270e_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-discussion-query
# Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -835,9 +835,9 @@ jobs:
EOF
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_7b5529d49a1b80a4_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_3578e8b5f053270e_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_69d7d799a3a0feed_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_248cd51e0f2b2187_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-issue-query
# Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -916,9 +916,9 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_69d7d799a3a0feed_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_248cd51e0f2b2187_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_d3618419a6ddf510_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_d7c3c3ddcb042433_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-pr-query
# Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1003,7 +1003,7 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_d3618419a6ddf510_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_d7c3c3ddcb042433_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh
- name: Generate MCP Scripts Server Config
@@ -1073,7 +1073,7 @@ jobs:
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.6'
mkdir -p /home/runner/.copilot
- cat << GH_AW_MCP_CONFIG_1f72ae7c462ab449_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
+ cat << GH_AW_MCP_CONFIG_07c1efd03ebdfd50_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
{
"mcpServers": {
"github": {
@@ -1128,7 +1128,7 @@ jobs:
"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
}
}
- GH_AW_MCP_CONFIG_1f72ae7c462ab449_EOF
+ GH_AW_MCP_CONFIG_07c1efd03ebdfd50_EOF
- name: Download activation artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml
index 33bb905ff06..a0b444157ee 100644
--- a/.github/workflows/daily-regulatory.lock.yml
+++ b/.github/workflows/daily-regulatory.lock.yml
@@ -138,14 +138,14 @@ jobs:
run: |
bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
{
- cat << 'GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF'
+ cat << 'GH_AW_PROMPT_e7bf1a71088c8329_EOF'
- GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF
+ GH_AW_PROMPT_e7bf1a71088c8329_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF'
+ cat << 'GH_AW_PROMPT_e7bf1a71088c8329_EOF'
Tools: create_discussion, close_discussion(max:10), missing_tool, missing_data, noop
@@ -177,20 +177,20 @@ jobs:
{{/if}}
- GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF
+ GH_AW_PROMPT_e7bf1a71088c8329_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF'
+ cat << 'GH_AW_PROMPT_e7bf1a71088c8329_EOF'
- GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF
- cat << 'GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF'
+ GH_AW_PROMPT_e7bf1a71088c8329_EOF
+ cat << 'GH_AW_PROMPT_e7bf1a71088c8329_EOF'
{{#runtime-import .github/workflows/shared/github-queries-mcp-script.md}}
- GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF
- cat << 'GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF'
+ GH_AW_PROMPT_e7bf1a71088c8329_EOF
+ cat << 'GH_AW_PROMPT_e7bf1a71088c8329_EOF'
{{#runtime-import .github/workflows/shared/reporting.md}}
- GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF
- cat << 'GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF'
+ GH_AW_PROMPT_e7bf1a71088c8329_EOF
+ cat << 'GH_AW_PROMPT_e7bf1a71088c8329_EOF'
{{#runtime-import .github/workflows/daily-regulatory.md}}
- GH_AW_PROMPT_ef1fb1bd014f5f0e_EOF
+ GH_AW_PROMPT_e7bf1a71088c8329_EOF
} > "$GH_AW_PROMPT"
- name: Interpolate variables and render templates
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -359,12 +359,12 @@ jobs:
mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_d74dbf6e56a88d45_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_479943ac3e999c18_EOF'
{"close_discussion":{"max":10},"create_discussion":{"category":"audits","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"[daily regulatory] "},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"}}
- GH_AW_SAFE_OUTPUTS_CONFIG_d74dbf6e56a88d45_EOF
+ GH_AW_SAFE_OUTPUTS_CONFIG_479943ac3e999c18_EOF
- name: Write Safe Outputs Tools
run: |
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_4ef16bc13035e40a_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_f8156b1b6cadb67e_EOF'
{
"description_suffixes": {
"close_discussion": " CONSTRAINTS: Maximum 10 discussion(s) can be closed.",
@@ -373,8 +373,8 @@ jobs:
"repo_params": {},
"dynamic_tools": []
}
- GH_AW_SAFE_OUTPUTS_TOOLS_META_4ef16bc13035e40a_EOF
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_ecc112e01957f0f9_EOF'
+ GH_AW_SAFE_OUTPUTS_TOOLS_META_f8156b1b6cadb67e_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_0a83f5480af04e22_EOF'
{
"close_discussion": {
"defaultMax": 1,
@@ -487,7 +487,7 @@ jobs:
}
}
}
- GH_AW_SAFE_OUTPUTS_VALIDATION_ecc112e01957f0f9_EOF
+ GH_AW_SAFE_OUTPUTS_VALIDATION_0a83f5480af04e22_EOF
node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
@@ -530,7 +530,7 @@ jobs:
- name: Setup MCP Scripts Config
run: |
mkdir -p ${RUNNER_TEMP}/gh-aw/mcp-scripts/logs
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_56561f7ad7e979d8_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_24e42907d4f3d973_EOF'
{
"serverName": "mcpscripts",
"version": "1.0.0",
@@ -624,8 +624,8 @@ jobs:
}
]
}
- GH_AW_MCP_SCRIPTS_TOOLS_56561f7ad7e979d8_EOF
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_241c2274ef9b6941_EOF'
+ GH_AW_MCP_SCRIPTS_TOOLS_24e42907d4f3d973_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_e379ad2d1f8347fd_EOF'
const path = require("path");
const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs");
const configPath = path.join(__dirname, "tools.json");
@@ -639,12 +639,12 @@ jobs:
console.error("Failed to start mcp-scripts HTTP server:", error);
process.exit(1);
});
- GH_AW_MCP_SCRIPTS_SERVER_241c2274ef9b6941_EOF
+ GH_AW_MCP_SCRIPTS_SERVER_e379ad2d1f8347fd_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs
- name: Setup MCP Scripts Tool Files
run: |
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_afe5f484c9577440_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_42a2b21adf645622_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-discussion-query
# Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -779,9 +779,9 @@ jobs:
EOF
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_afe5f484c9577440_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_42a2b21adf645622_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_f0f44b755abc2e98_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_7d09b47a4130375a_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-issue-query
# Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -860,9 +860,9 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_f0f44b755abc2e98_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_7d09b47a4130375a_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_d736a76a47cdc6ce_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_9cc04f722b6cb3b1_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-pr-query
# Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -947,7 +947,7 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_d736a76a47cdc6ce_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_9cc04f722b6cb3b1_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh
- name: Generate MCP Scripts Server Config
@@ -1014,7 +1014,7 @@ jobs:
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.6'
mkdir -p /home/runner/.copilot
- cat << GH_AW_MCP_CONFIG_f5ba653e50ee8ae1_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
+ cat << GH_AW_MCP_CONFIG_61ef576cbd71659a_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
{
"mcpServers": {
"github": {
@@ -1069,7 +1069,7 @@ jobs:
"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
}
}
- GH_AW_MCP_CONFIG_f5ba653e50ee8ae1_EOF
+ GH_AW_MCP_CONFIG_61ef576cbd71659a_EOF
- name: Download activation artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml
index e040385468c..0e5c3cde2b7 100644
--- a/.github/workflows/smoke-claude.lock.yml
+++ b/.github/workflows/smoke-claude.lock.yml
@@ -198,9 +198,9 @@ jobs:
run: |
bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
{
- cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
+ cat << 'GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF'
- GH_AW_PROMPT_6b1cb95b3675cd09_EOF
+ GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
@@ -208,12 +208,12 @@ jobs:
cat "${RUNNER_TEMP}/gh-aw/prompts/agentic_workflows_guide.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
+ cat << 'GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF'
Tools: add_comment(max:2), create_issue, close_pull_request, update_pull_request, create_pull_request_review_comment(max:5), submit_pull_request_review, resolve_pull_request_review_thread(max:5), add_labels, add_reviewer(max:2), push_to_pull_request_branch, missing_tool, missing_data, noop
- GH_AW_PROMPT_6b1cb95b3675cd09_EOF
+ GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_push_to_pr_branch.md"
- cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
+ cat << 'GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF'
The following GitHub context information is available for this workflow:
@@ -243,12 +243,12 @@ jobs:
{{/if}}
- GH_AW_PROMPT_6b1cb95b3675cd09_EOF
+ GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
+ cat << 'GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF'
- GH_AW_PROMPT_6b1cb95b3675cd09_EOF
- cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
+ GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF
+ cat << 'GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF'
## MCP Response Size Limits
MCP tool responses have a **25,000 token limit**. When GitHub API responses exceed this limit, workflows must retry with pagination parameters, wasting turns and tokens.
@@ -360,8 +360,8 @@ jobs:
This proactive approach eliminates retry loops and reduces token consumption.
- GH_AW_PROMPT_6b1cb95b3675cd09_EOF
- cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
+ GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF
+ cat << 'GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF'
**IMPORTANT**: Always use the `mcpscripts-gh` tool for GitHub CLI commands instead of running `gh` directly via bash. The `mcpscripts-gh` tool has proper authentication configured with `GITHUB_TOKEN`, while bash commands do not have GitHub CLI authentication by default.
**Correct**:
@@ -378,11 +378,11 @@ jobs:
```
- GH_AW_PROMPT_6b1cb95b3675cd09_EOF
- cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
+ GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF
+ cat << 'GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF'
- GH_AW_PROMPT_6b1cb95b3675cd09_EOF
- cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
+ GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF
+ cat << 'GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF'
## Report Structure Guidelines
### 1. Header Levels
@@ -452,11 +452,11 @@ jobs:
- Format run IDs as links: `[§12345](https://github.com/owner/repo/actions/runs/12345)`
- Include up to 3 most relevant run URLs at end under `**References:**`
- Do NOT add footer attribution (system adds automatically)
- GH_AW_PROMPT_6b1cb95b3675cd09_EOF
- cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
+ GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF
+ cat << 'GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF'
- GH_AW_PROMPT_6b1cb95b3675cd09_EOF
- cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
+ GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF
+ cat << 'GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF'
**IMPORTANT**: Always use the `mcpscripts-go` and `mcpscripts-make` tools for Go and Make commands instead of running them directly via bash. These mcp-script tools provide consistent execution and proper logging.
**Correct**:
@@ -475,11 +475,11 @@ jobs:
```
- GH_AW_PROMPT_6b1cb95b3675cd09_EOF
- cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
+ GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF
+ cat << 'GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF'
- GH_AW_PROMPT_6b1cb95b3675cd09_EOF
- cat << 'GH_AW_PROMPT_6b1cb95b3675cd09_EOF'
+ GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF
+ cat << 'GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF'
# Smoke Test: Claude Engine Validation.
**IMPORTANT: Keep all outputs extremely short and concise. Use single-line responses where possible. No verbose explanations.**
@@ -587,7 +587,7 @@ jobs:
{"noop": {"message": "No action needed: [brief explanation of what was analyzed and why]"}}
```
- GH_AW_PROMPT_6b1cb95b3675cd09_EOF
+ GH_AW_PROMPT_5b5cf8c4ea949d9a_EOF
} > "$GH_AW_PROMPT"
- name: Interpolate variables and render templates
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -857,12 +857,12 @@ jobs:
mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_7409af05d1ba3e15_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_b21107ea4b46bc70_EOF'
{"add_comment":{"hide_older_comments":true,"max":2},"add_labels":{"allowed":["smoke-claude"]},"add_reviewer":{"max":2,"target":"*"},"close_pull_request":{"max":1,"staged":true},"create_issue":{"close_older_issues":true,"close_older_key":"smoke-claude","expires":2,"group":true,"labels":["automation","testing"],"max":1},"create_pull_request_review_comment":{"max":5,"side":"RIGHT","target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"post_slack_message":{"description":"Post a message to a fictitious Slack channel (smoke test only — no real Slack integration)","inputs":{"channel":{"default":"#general","description":"Slack channel name to post to","required":false,"type":"string"},"message":{"description":"Message text to post","required":false,"type":"string"}}},"push_to_pull_request_branch":{"if_no_changes":"warn","max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"],"staged":true,"target":"*"},"resolve_pull_request_review_thread":{"max":5},"submit_pull_request_review":{"footer":"always","max":1},"update_pull_request":{"allow_body":true,"allow_title":true,"max":1,"target":"*"}}
- GH_AW_SAFE_OUTPUTS_CONFIG_7409af05d1ba3e15_EOF
+ GH_AW_SAFE_OUTPUTS_CONFIG_b21107ea4b46bc70_EOF
- name: Write Safe Outputs Tools
run: |
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_d27e818ec81a42cc_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_78850d57a6f3ee6b_EOF'
{
"description_suffixes": {
"add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.",
@@ -899,8 +899,8 @@ jobs:
}
]
}
- GH_AW_SAFE_OUTPUTS_TOOLS_META_d27e818ec81a42cc_EOF
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_76d3267f68487b71_EOF'
+ GH_AW_SAFE_OUTPUTS_TOOLS_META_78850d57a6f3ee6b_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_c02dc5a35725a415_EOF'
{
"add_comment": {
"defaultMax": 1,
@@ -1185,7 +1185,7 @@ jobs:
"customValidation": "requiresOneOf:title,body"
}
}
- GH_AW_SAFE_OUTPUTS_VALIDATION_76d3267f68487b71_EOF
+ GH_AW_SAFE_OUTPUTS_VALIDATION_c02dc5a35725a415_EOF
node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
@@ -1228,7 +1228,7 @@ jobs:
- name: Setup MCP Scripts Config
run: |
mkdir -p ${RUNNER_TEMP}/gh-aw/mcp-scripts/logs
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_e791af4a15638278_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_ccd0fc6b0f6e80e9_EOF'
{
"serverName": "mcpscripts",
"version": "1.0.0",
@@ -1380,8 +1380,8 @@ jobs:
}
]
}
- GH_AW_MCP_SCRIPTS_TOOLS_e791af4a15638278_EOF
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_896ea0bea2695a3e_EOF'
+ GH_AW_MCP_SCRIPTS_TOOLS_ccd0fc6b0f6e80e9_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_d2d62f86d7364b9a_EOF'
const path = require("path");
const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs");
const configPath = path.join(__dirname, "tools.json");
@@ -1395,12 +1395,12 @@ jobs:
console.error("Failed to start mcp-scripts HTTP server:", error);
process.exit(1);
});
- GH_AW_MCP_SCRIPTS_SERVER_896ea0bea2695a3e_EOF
+ GH_AW_MCP_SCRIPTS_SERVER_d2d62f86d7364b9a_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs
- name: Setup MCP Scripts Tool Files
run: |
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_485e8ae524fbc24a_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_f67559598c935571_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: gh
# Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues.
@@ -1411,9 +1411,9 @@ jobs:
echo " token: ${GH_AW_GH_TOKEN:0:6}..."
GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS
- GH_AW_MCP_SCRIPTS_SH_GH_485e8ae524fbc24a_EOF
+ GH_AW_MCP_SCRIPTS_SH_GH_f67559598c935571_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_e6d883a37e846c7c_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_e102945e6b71afcb_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-discussion-query
# Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1548,9 +1548,9 @@ jobs:
EOF
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_e6d883a37e846c7c_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_e102945e6b71afcb_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_6eb0b98168194ed6_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_b8c7d61ac9725809_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-issue-query
# Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1629,9 +1629,9 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_6eb0b98168194ed6_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_b8c7d61ac9725809_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_3d7716c509bade7c_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_a408417e70dfc282_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-pr-query
# Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1716,9 +1716,9 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_3d7716c509bade7c_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_a408417e70dfc282_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_c7efa7cea3e8fefb_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_262cebed7ecac346_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: go
# Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues.
@@ -1729,9 +1729,9 @@ jobs:
go $INPUT_ARGS
- GH_AW_MCP_SCRIPTS_SH_GO_c7efa7cea3e8fefb_EOF
+ GH_AW_MCP_SCRIPTS_SH_GO_262cebed7ecac346_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/go.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_637c52137b19831c_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_b3a40908f9536124_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: make
# Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues.
@@ -1741,7 +1741,7 @@ jobs:
echo "make $INPUT_ARGS"
make $INPUT_ARGS
- GH_AW_MCP_SCRIPTS_SH_MAKE_637c52137b19831c_EOF
+ GH_AW_MCP_SCRIPTS_SH_MAKE_b3a40908f9536124_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/make.sh
- name: Generate MCP Scripts Server Config
@@ -1814,7 +1814,7 @@ jobs:
export GH_AW_ENGINE="claude"
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -e TAVILY_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.6'
- cat << GH_AW_MCP_CONFIG_20161bf861321d5e_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
+ cat << GH_AW_MCP_CONFIG_ffcfdd19b250b5b1_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
{
"mcpServers": {
"agenticworkflows": {
@@ -1950,7 +1950,7 @@ jobs:
"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
}
}
- GH_AW_MCP_CONFIG_20161bf861321d5e_EOF
+ GH_AW_MCP_CONFIG_ffcfdd19b250b5b1_EOF
- name: Download activation artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
@@ -2664,7 +2664,7 @@ jobs:
echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
- name: Setup Safe Outputs Custom Scripts
run: |
- cat > ${RUNNER_TEMP}/gh-aw/actions/safe_output_script_post_slack_message.cjs << 'GH_AW_SAFE_OUTPUT_SCRIPT_POST_SLACK_MESSAGE_46e92fc421c40955_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/actions/safe_output_script_post_slack_message.cjs << 'GH_AW_SAFE_OUTPUT_SCRIPT_POST_SLACK_MESSAGE_c30eabcd41f1ac22_EOF'
// @ts-check
///
// Auto-generated safe-output script handler: post-slack-message
@@ -2684,7 +2684,7 @@ jobs:
}
module.exports = { main };
- GH_AW_SAFE_OUTPUT_SCRIPT_POST_SLACK_MESSAGE_46e92fc421c40955_EOF
+ GH_AW_SAFE_OUTPUT_SCRIPT_POST_SLACK_MESSAGE_c30eabcd41f1ac22_EOF
- name: Process Safe Outputs
id: process_safe_outputs
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml
index c20455ccc61..14c1d866500 100644
--- a/.github/workflows/smoke-copilot-arm.lock.yml
+++ b/.github/workflows/smoke-copilot-arm.lock.yml
@@ -189,9 +189,9 @@ jobs:
run: |
bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
{
- cat << 'GH_AW_PROMPT_c9e071e53e64b932_EOF'
+ cat << 'GH_AW_PROMPT_80f2c0387fc2e91c_EOF'
- GH_AW_PROMPT_c9e071e53e64b932_EOF
+ GH_AW_PROMPT_80f2c0387fc2e91c_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
@@ -199,7 +199,7 @@ jobs:
cat "${RUNNER_TEMP}/gh-aw/prompts/agentic_workflows_guide.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_c9e071e53e64b932_EOF'
+ cat << 'GH_AW_PROMPT_80f2c0387fc2e91c_EOF'
Tools: add_comment(max:2), create_issue, create_discussion, create_pull_request_review_comment(max:5), submit_pull_request_review, add_labels, remove_labels, dispatch_workflow, missing_tool, missing_data, noop
@@ -231,23 +231,23 @@ jobs:
{{/if}}
- GH_AW_PROMPT_c9e071e53e64b932_EOF
+ GH_AW_PROMPT_80f2c0387fc2e91c_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_c9e071e53e64b932_EOF'
+ cat << 'GH_AW_PROMPT_80f2c0387fc2e91c_EOF'
- GH_AW_PROMPT_c9e071e53e64b932_EOF
- cat << 'GH_AW_PROMPT_c9e071e53e64b932_EOF'
+ GH_AW_PROMPT_80f2c0387fc2e91c_EOF
+ cat << 'GH_AW_PROMPT_80f2c0387fc2e91c_EOF'
{{#runtime-import .github/workflows/shared/gh.md}}
- GH_AW_PROMPT_c9e071e53e64b932_EOF
- cat << 'GH_AW_PROMPT_c9e071e53e64b932_EOF'
+ GH_AW_PROMPT_80f2c0387fc2e91c_EOF
+ cat << 'GH_AW_PROMPT_80f2c0387fc2e91c_EOF'
{{#runtime-import .github/workflows/shared/reporting.md}}
- GH_AW_PROMPT_c9e071e53e64b932_EOF
- cat << 'GH_AW_PROMPT_c9e071e53e64b932_EOF'
+ GH_AW_PROMPT_80f2c0387fc2e91c_EOF
+ cat << 'GH_AW_PROMPT_80f2c0387fc2e91c_EOF'
{{#runtime-import .github/workflows/shared/github-queries-mcp-script.md}}
- GH_AW_PROMPT_c9e071e53e64b932_EOF
- cat << 'GH_AW_PROMPT_c9e071e53e64b932_EOF'
+ GH_AW_PROMPT_80f2c0387fc2e91c_EOF
+ cat << 'GH_AW_PROMPT_80f2c0387fc2e91c_EOF'
{{#runtime-import .github/workflows/smoke-copilot-arm.md}}
- GH_AW_PROMPT_c9e071e53e64b932_EOF
+ GH_AW_PROMPT_80f2c0387fc2e91c_EOF
} > "$GH_AW_PROMPT"
- name: Interpolate variables and render templates
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -497,12 +497,12 @@ jobs:
mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_6fc7777c6de28eca_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_ff356b30883bf4e1_EOF'
{"add_comment":{"allowed_repos":["github/gh-aw"],"hide_older_comments":true,"max":2},"add_labels":{"allowed":["smoke-copilot-arm"],"allowed_repos":["github/gh-aw"]},"create_discussion":{"category":"announcements","close_older_discussions":true,"expires":2,"fallback_to_issue":true,"labels":["ai-generated"],"max":1},"create_issue":{"close_older_issues":true,"close_older_key":"smoke-copilot-arm","expires":2,"group":true,"labels":["automation","testing"],"max":1},"create_pull_request_review_comment":{"max":5,"side":"RIGHT"},"dispatch_workflow":{"max":1,"workflow_files":{"haiku-printer":".yml"},"workflows":["haiku-printer"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"remove_labels":{"allowed":["smoke"]},"send-slack-message":{"description":"Send a message to Slack (stub for testing)","inputs":{"message":{"description":"The message to send","required":false,"type":"string"}},"output":"Slack message stub executed!"},"submit_pull_request_review":{"max":1}}
- GH_AW_SAFE_OUTPUTS_CONFIG_6fc7777c6de28eca_EOF
+ GH_AW_SAFE_OUTPUTS_CONFIG_ff356b30883bf4e1_EOF
- name: Write Safe Outputs Tools
run: |
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_fb7918c7c3f6c71a_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_fe8745adcc6e117b_EOF'
{
"description_suffixes": {
"add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.",
@@ -559,8 +559,8 @@ jobs:
}
]
}
- GH_AW_SAFE_OUTPUTS_TOOLS_META_fb7918c7c3f6c71a_EOF
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_6eee7ffbf3d09287_EOF'
+ GH_AW_SAFE_OUTPUTS_TOOLS_META_fe8745adcc6e117b_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_56f618f5533299b0_EOF'
{
"add_comment": {
"defaultMax": 1,
@@ -790,7 +790,7 @@ jobs:
}
}
}
- GH_AW_SAFE_OUTPUTS_VALIDATION_6eee7ffbf3d09287_EOF
+ GH_AW_SAFE_OUTPUTS_VALIDATION_56f618f5533299b0_EOF
node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
@@ -833,7 +833,7 @@ jobs:
- name: Setup MCP Scripts Config
run: |
mkdir -p ${RUNNER_TEMP}/gh-aw/mcp-scripts/logs
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_b92d0dc23d43344d_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_478911be5f8bc942_EOF'
{
"serverName": "mcpscripts",
"version": "1.0.0",
@@ -949,8 +949,8 @@ jobs:
}
]
}
- GH_AW_MCP_SCRIPTS_TOOLS_b92d0dc23d43344d_EOF
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_5492aeb7669e11d4_EOF'
+ GH_AW_MCP_SCRIPTS_TOOLS_478911be5f8bc942_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_88fb0ea78a834d03_EOF'
const path = require("path");
const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs");
const configPath = path.join(__dirname, "tools.json");
@@ -964,12 +964,12 @@ jobs:
console.error("Failed to start mcp-scripts HTTP server:", error);
process.exit(1);
});
- GH_AW_MCP_SCRIPTS_SERVER_5492aeb7669e11d4_EOF
+ GH_AW_MCP_SCRIPTS_SERVER_88fb0ea78a834d03_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs
- name: Setup MCP Scripts Tool Files
run: |
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_e65337f45839cd84_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_450b846535cfab0a_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: gh
# Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues.
@@ -980,9 +980,9 @@ jobs:
echo " token: ${GH_AW_GH_TOKEN:0:6}..."
GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS
- GH_AW_MCP_SCRIPTS_SH_GH_e65337f45839cd84_EOF
+ GH_AW_MCP_SCRIPTS_SH_GH_450b846535cfab0a_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_d6ddb942cce519e2_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_b0680bad683b6951_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-discussion-query
# Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1117,9 +1117,9 @@ jobs:
EOF
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_d6ddb942cce519e2_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_b0680bad683b6951_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_fdc45fa4cd98d4a1_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_6715064ed6769336_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-issue-query
# Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1198,9 +1198,9 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_fdc45fa4cd98d4a1_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_6715064ed6769336_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_667ad5ff0ac9f07f_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_8ec5361963561511_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-pr-query
# Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1285,7 +1285,7 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_667ad5ff0ac9f07f_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_8ec5361963561511_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh
- name: Generate MCP Scripts Server Config
@@ -1358,7 +1358,7 @@ jobs:
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.6'
mkdir -p /home/runner/.copilot
- cat << GH_AW_MCP_CONFIG_38187d602986a5fc_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
+ cat << GH_AW_MCP_CONFIG_11360a702a194984_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
{
"mcpServers": {
"agenticworkflows": {
@@ -1461,7 +1461,7 @@ jobs:
"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
}
}
- GH_AW_MCP_CONFIG_38187d602986a5fc_EOF
+ GH_AW_MCP_CONFIG_11360a702a194984_EOF
- name: Download activation artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml
index aab471bfcff..f06db15c72e 100644
--- a/.github/workflows/smoke-copilot.lock.yml
+++ b/.github/workflows/smoke-copilot.lock.yml
@@ -195,9 +195,9 @@ jobs:
run: |
bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh
{
- cat << 'GH_AW_PROMPT_cb3371b468b3928c_EOF'
+ cat << 'GH_AW_PROMPT_911691aa67144f92_EOF'
- GH_AW_PROMPT_cb3371b468b3928c_EOF
+ GH_AW_PROMPT_911691aa67144f92_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
@@ -205,7 +205,7 @@ jobs:
cat "${RUNNER_TEMP}/gh-aw/prompts/agentic_workflows_guide.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_cb3371b468b3928c_EOF'
+ cat << 'GH_AW_PROMPT_911691aa67144f92_EOF'
Tools: add_comment(max:2), create_issue, create_discussion, create_pull_request_review_comment(max:5), submit_pull_request_review, reply_to_pull_request_review_comment(max:5), add_labels, remove_labels, set_issue_type, dispatch_workflow, missing_tool, missing_data, noop
@@ -237,23 +237,23 @@ jobs:
{{/if}}
- GH_AW_PROMPT_cb3371b468b3928c_EOF
+ GH_AW_PROMPT_911691aa67144f92_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_cb3371b468b3928c_EOF'
+ cat << 'GH_AW_PROMPT_911691aa67144f92_EOF'
- GH_AW_PROMPT_cb3371b468b3928c_EOF
- cat << 'GH_AW_PROMPT_cb3371b468b3928c_EOF'
+ GH_AW_PROMPT_911691aa67144f92_EOF
+ cat << 'GH_AW_PROMPT_911691aa67144f92_EOF'
{{#runtime-import .github/workflows/shared/gh.md}}
- GH_AW_PROMPT_cb3371b468b3928c_EOF
- cat << 'GH_AW_PROMPT_cb3371b468b3928c_EOF'
+ GH_AW_PROMPT_911691aa67144f92_EOF
+ cat << 'GH_AW_PROMPT_911691aa67144f92_EOF'
{{#runtime-import .github/workflows/shared/reporting.md}}
- GH_AW_PROMPT_cb3371b468b3928c_EOF
- cat << 'GH_AW_PROMPT_cb3371b468b3928c_EOF'
+ GH_AW_PROMPT_911691aa67144f92_EOF
+ cat << 'GH_AW_PROMPT_911691aa67144f92_EOF'
{{#runtime-import .github/workflows/shared/github-queries-mcp-script.md}}
- GH_AW_PROMPT_cb3371b468b3928c_EOF
- cat << 'GH_AW_PROMPT_cb3371b468b3928c_EOF'
+ GH_AW_PROMPT_911691aa67144f92_EOF
+ cat << 'GH_AW_PROMPT_911691aa67144f92_EOF'
{{#runtime-import .github/workflows/smoke-copilot.md}}
- GH_AW_PROMPT_cb3371b468b3928c_EOF
+ GH_AW_PROMPT_911691aa67144f92_EOF
} > "$GH_AW_PROMPT"
- name: Interpolate variables and render templates
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -504,12 +504,12 @@ jobs:
mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_4c9aab4bfc7b7d42_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_15f92489b5b6b844_EOF'
{"add_comment":{"allowed_repos":["github/gh-aw"],"hide_older_comments":true,"max":2},"add_labels":{"allowed":["smoke-copilot"],"allowed_repos":["github/gh-aw"]},"create_discussion":{"category":"announcements","close_older_discussions":true,"close_older_key":"smoke-copilot","expires":2,"fallback_to_issue":true,"labels":["ai-generated"],"max":1},"create_issue":{"close_older_issues":true,"close_older_key":"smoke-copilot","expires":2,"group":true,"labels":["automation","testing"],"max":1},"create_pull_request_review_comment":{"max":5,"side":"RIGHT"},"dispatch_workflow":{"max":1,"workflow_files":{"haiku-printer":".yml"},"workflows":["haiku-printer"]},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"remove_labels":{"allowed":["smoke"]},"reply_to_pull_request_review_comment":{"max":5},"send-slack-message":{"description":"Send a message to Slack (stub for testing)","inputs":{"message":{"description":"The message to send","required":false,"type":"string"}},"output":"Slack message stub executed!"},"set_issue_type":{},"submit_pull_request_review":{"max":1}}
- GH_AW_SAFE_OUTPUTS_CONFIG_4c9aab4bfc7b7d42_EOF
+ GH_AW_SAFE_OUTPUTS_CONFIG_15f92489b5b6b844_EOF
- name: Write Safe Outputs Tools
run: |
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_a110c440d41de3e9_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_b61b183d0813d040_EOF'
{
"description_suffixes": {
"add_comment": " CONSTRAINTS: Maximum 2 comment(s) can be added.",
@@ -567,8 +567,8 @@ jobs:
}
]
}
- GH_AW_SAFE_OUTPUTS_TOOLS_META_a110c440d41de3e9_EOF
- cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_9e323693d2b679e9_EOF'
+ GH_AW_SAFE_OUTPUTS_TOOLS_META_b61b183d0813d040_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_3a0130848e06a2fe_EOF'
{
"add_comment": {
"defaultMax": 1,
@@ -838,7 +838,7 @@ jobs:
}
}
}
- GH_AW_SAFE_OUTPUTS_VALIDATION_9e323693d2b679e9_EOF
+ GH_AW_SAFE_OUTPUTS_VALIDATION_3a0130848e06a2fe_EOF
node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs
- name: Generate Safe Outputs MCP Server Config
id: safe-outputs-config
@@ -881,7 +881,7 @@ jobs:
- name: Setup MCP Scripts Config
run: |
mkdir -p ${RUNNER_TEMP}/gh-aw/mcp-scripts/logs
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_771497388f3a8a37_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_a4566bfabe45aa45_EOF'
{
"serverName": "mcpscripts",
"version": "1.0.0",
@@ -997,8 +997,8 @@ jobs:
}
]
}
- GH_AW_MCP_SCRIPTS_TOOLS_771497388f3a8a37_EOF
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_3092dadf7c4b705f_EOF'
+ GH_AW_MCP_SCRIPTS_TOOLS_a4566bfabe45aa45_EOF
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_c87b8c860d1974c4_EOF'
const path = require("path");
const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs");
const configPath = path.join(__dirname, "tools.json");
@@ -1012,12 +1012,12 @@ jobs:
console.error("Failed to start mcp-scripts HTTP server:", error);
process.exit(1);
});
- GH_AW_MCP_SCRIPTS_SERVER_3092dadf7c4b705f_EOF
+ GH_AW_MCP_SCRIPTS_SERVER_c87b8c860d1974c4_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs
- name: Setup MCP Scripts Tool Files
run: |
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_ffc4ccb8a76bcffb_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_3ad540edaeb4d971_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: gh
# Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues.
@@ -1028,9 +1028,9 @@ jobs:
echo " token: ${GH_AW_GH_TOKEN:0:6}..."
GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS
- GH_AW_MCP_SCRIPTS_SH_GH_ffc4ccb8a76bcffb_EOF
+ GH_AW_MCP_SCRIPTS_SH_GH_3ad540edaeb4d971_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/gh.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_738382de206bd0ef_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_7b464ebdab7456b0_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-discussion-query
# Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1165,9 +1165,9 @@ jobs:
EOF
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_738382de206bd0ef_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_7b464ebdab7456b0_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-discussion-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_782bf1e5f984aa24_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_4b5afc8f32276710_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-issue-query
# Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1246,9 +1246,9 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_782bf1e5f984aa24_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_4b5afc8f32276710_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-issue-query.sh
- cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_9e853a386695b139_EOF'
+ cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_7afa50763df778fe_EOF'
#!/bin/bash
# Auto-generated mcp-script tool: github-pr-query
# Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter.
@@ -1333,7 +1333,7 @@ jobs:
fi
- GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_9e853a386695b139_EOF
+ GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_7afa50763df778fe_EOF
chmod +x ${RUNNER_TEMP}/gh-aw/mcp-scripts/github-pr-query.sh
- name: Generate MCP Scripts Server Config
@@ -1406,7 +1406,7 @@ jobs:
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.6'
mkdir -p /home/runner/.copilot
- cat << GH_AW_MCP_CONFIG_87d5496efb11c10e_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
+ cat << GH_AW_MCP_CONFIG_1de5c4745e0b2994_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh
{
"mcpServers": {
"agenticworkflows": {
@@ -1509,7 +1509,7 @@ jobs:
"payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
}
}
- GH_AW_MCP_CONFIG_87d5496efb11c10e_EOF
+ GH_AW_MCP_CONFIG_1de5c4745e0b2994_EOF
- name: Download activation artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
diff --git a/pkg/workflow/codex_mcp.go b/pkg/workflow/codex_mcp.go
index 950d5fcebda..f49eb824405 100644
--- a/pkg/workflow/codex_mcp.go
+++ b/pkg/workflow/codex_mcp.go
@@ -28,7 +28,7 @@ func (e *CodexEngine) RenderMCPConfig(yaml *strings.Builder, tools map[string]an
})
}
- delimiter := GenerateHeredocDelimiter("MCP_CONFIG")
+ delimiter := GenerateHeredocDelimiterFromSeed("MCP_CONFIG", workflowData.FrontmatterHash)
yaml.WriteString(" cat > /tmp/gh-aw/mcp-config/config.toml << " + delimiter + "\n")
// Add history configuration to disable persistence
diff --git a/pkg/workflow/compiler_safe_outputs_job.go b/pkg/workflow/compiler_safe_outputs_job.go
index f86f84c0d4c..546b5f33aa7 100644
--- a/pkg/workflow/compiler_safe_outputs_job.go
+++ b/pkg/workflow/compiler_safe_outputs_job.go
@@ -161,7 +161,7 @@ func (c *Compiler) buildConsolidatedSafeOutputsJob(data *WorkflowData, mainJobNa
// This must run before the handler manager step so the files are available for require()
if len(data.SafeOutputs.Scripts) > 0 {
consolidatedSafeOutputsJobLog.Printf("Adding setup step for %d custom safe-output script(s)", len(data.SafeOutputs.Scripts))
- scriptSetupSteps := buildCustomScriptFilesStep(data.SafeOutputs.Scripts)
+ scriptSetupSteps := buildCustomScriptFilesStep(data.SafeOutputs.Scripts, data.FrontmatterHash)
steps = append(steps, scriptSetupSteps...)
}
@@ -640,7 +640,7 @@ func generateSafeOutputScriptContent(scriptName string, scriptConfig *SafeScript
// Users write only the handler body; the compiler wraps it with config destructuring,
// the handler function, and module.exports boilerplate.
// Each script is written using a heredoc to avoid shell quoting issues.
-func buildCustomScriptFilesStep(scripts map[string]*SafeScriptConfig) []string {
+func buildCustomScriptFilesStep(scripts map[string]*SafeScriptConfig, frontmatterHash string) []string {
if len(scripts) == 0 {
return nil
}
@@ -661,7 +661,7 @@ func buildCustomScriptFilesStep(scripts map[string]*SafeScriptConfig) []string {
normalizedName := stringutil.NormalizeSafeOutputIdentifier(scriptName)
filename := safeOutputScriptFilename(normalizedName)
filePath := SetupActionDestinationShell + "/" + filename
- delimiter := GenerateHeredocDelimiter("SAFE_OUTPUT_SCRIPT_" + strings.ToUpper(normalizedName))
+ delimiter := GenerateHeredocDelimiterFromSeed("SAFE_OUTPUT_SCRIPT_"+strings.ToUpper(normalizedName), frontmatterHash)
scriptContent := generateSafeOutputScriptContent(scriptName, scriptConfig)
steps = append(steps, fmt.Sprintf(" cat > %s << '%s'\n", filePath, delimiter))
diff --git a/pkg/workflow/compiler_types.go b/pkg/workflow/compiler_types.go
index 267d337bc44..f81bc0beee9 100644
--- a/pkg/workflow/compiler_types.go
+++ b/pkg/workflow/compiler_types.go
@@ -347,6 +347,7 @@ type WorkflowData struct {
TrialLogicalRepo string // target repository slug for trial mode (owner/repo)
FrontmatterName string // name field from frontmatter (for code scanning alert driver default)
FrontmatterYAML string // raw frontmatter YAML content (rendered as comment in lock file for reference)
+ FrontmatterHash string // SHA-256 hash of frontmatter (computed before job building, used to derive stable heredoc delimiters)
Description string // optional description rendered as comment in lock file
Source string // optional source field (owner/repo@ref/path) rendered as comment in lock file
TrackerID string // optional tracker identifier for created assets (min 8 chars, alphanumeric + hyphens/underscores)
diff --git a/pkg/workflow/compiler_yaml.go b/pkg/workflow/compiler_yaml.go
index 09df0f30f3f..f066b3676c9 100644
--- a/pkg/workflow/compiler_yaml.go
+++ b/pkg/workflow/compiler_yaml.go
@@ -232,12 +232,10 @@ func (c *Compiler) generateWorkflowBody(yaml *strings.Builder, data *WorkflowDat
func (c *Compiler) generateYAML(data *WorkflowData, markdownPath string) (string, error) {
compilerYamlLog.Printf("Generating YAML for workflow: %s", data.Name)
- // Build all jobs and validate dependencies
- if err := c.buildJobsAndValidate(data, markdownPath); err != nil {
- return "", fmt.Errorf("failed to build and validate jobs: %w", err)
- }
-
- // Compute frontmatter hash before generating YAML
+ // Compute frontmatter hash BEFORE building jobs so that the stable hash is
+ // available to heredoc-delimiter generation throughout job construction.
+ // Using the hex-encoded SHA-256 frontmatter hash string as an HMAC key keeps
+ // the compiled lock file identical across repeated compilations of the same workflow.
var frontmatterHash string
if markdownPath != "" {
baseDir := filepath.Dir(markdownPath)
@@ -251,6 +249,14 @@ func (c *Compiler) generateYAML(data *WorkflowData, markdownPath string) (string
compilerYamlLog.Printf("Computed frontmatter hash: %s", hash)
}
}
+ // Store hash on WorkflowData so job-building helpers (MCP renderers, prompt
+ // step generators, etc.) can derive stable heredoc delimiters from it.
+ data.FrontmatterHash = frontmatterHash
+
+ // Build all jobs and validate dependencies
+ if err := c.buildJobsAndValidate(data, markdownPath); err != nil {
+ return "", fmt.Errorf("failed to build and validate jobs: %w", err)
+ }
// Pre-allocate builder capacity based on estimated workflow size
// Average workflow generates ~200KB, allocate 256KB to minimize reallocations
diff --git a/pkg/workflow/mcp_renderer.go b/pkg/workflow/mcp_renderer.go
index c28065597e8..2757daeb2bc 100644
--- a/pkg/workflow/mcp_renderer.go
+++ b/pkg/workflow/mcp_renderer.go
@@ -206,7 +206,7 @@ func RenderJSONMCPConfig(
// Get the generated configuration
generatedConfig := configBuilder.String()
- delimiter := GenerateHeredocDelimiter("MCP_CONFIG")
+ delimiter := GenerateHeredocDelimiterFromSeed("MCP_CONFIG", workflowData.FrontmatterHash)
// Write the configuration to the YAML output
yaml.WriteString(" cat << " + delimiter + " | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh\n")
yaml.WriteString(generatedConfig)
diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go
index 8c378a068e2..f2a41f5da7b 100644
--- a/pkg/workflow/mcp_setup_generator.go
+++ b/pkg/workflow/mcp_setup_generator.go
@@ -211,7 +211,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any,
yaml.WriteString(" mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs\n")
// Write the safe-outputs configuration to config.json
- delimiter := GenerateHeredocDelimiter("SAFE_OUTPUTS_CONFIG")
+ delimiter := GenerateHeredocDelimiterFromSeed("SAFE_OUTPUTS_CONFIG", workflowData.FrontmatterHash)
if safeOutputConfig != "" {
yaml.WriteString(" cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << '" + delimiter + "'\n")
yaml.WriteString(" " + safeOutputConfig + "\n")
@@ -260,7 +260,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any,
yaml.WriteString(" - name: Write Safe Outputs Tools\n")
yaml.WriteString(" run: |\n")
- toolsMetaDelimiter := GenerateHeredocDelimiter("SAFE_OUTPUTS_TOOLS_META")
+ toolsMetaDelimiter := GenerateHeredocDelimiterFromSeed("SAFE_OUTPUTS_TOOLS_META", workflowData.FrontmatterHash)
yaml.WriteString(" cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << '" + toolsMetaDelimiter + "'\n")
// Write each line of the compact meta JSON with proper YAML indentation
for line := range strings.SplitSeq(toolsMetaJSON, "\n") {
@@ -268,7 +268,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any,
}
yaml.WriteString(" " + toolsMetaDelimiter + "\n")
- validationDelimiter := GenerateHeredocDelimiter("SAFE_OUTPUTS_VALIDATION")
+ validationDelimiter := GenerateHeredocDelimiterFromSeed("SAFE_OUTPUTS_VALIDATION", workflowData.FrontmatterHash)
yaml.WriteString(" cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << '" + validationDelimiter + "'\n")
// Write each line of the indented JSON with proper YAML indentation
for line := range strings.SplitSeq(validationConfigJSON, "\n") {
@@ -342,7 +342,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any,
// Generate the tools.json configuration file
toolsJSON := GenerateMCPScriptsToolsConfig(workflowData.MCPScripts)
- toolsDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_TOOLS")
+ toolsDelimiter := GenerateHeredocDelimiterFromSeed("MCP_SCRIPTS_TOOLS", workflowData.FrontmatterHash)
yaml.WriteString(" cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/tools.json << '" + toolsDelimiter + "'\n")
for line := range strings.SplitSeq(toolsJSON, "\n") {
yaml.WriteString(" " + line + "\n")
@@ -351,7 +351,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any,
// Generate the MCP server entry point
mcpScriptsMCPServer := GenerateMCPScriptsMCPServerScript(workflowData.MCPScripts)
- serverDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_SERVER")
+ serverDelimiter := GenerateHeredocDelimiterFromSeed("MCP_SCRIPTS_SERVER", workflowData.FrontmatterHash)
yaml.WriteString(" cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/mcp-server.cjs << '" + serverDelimiter + "'\n")
for _, line := range FormatJavaScriptForYAML(mcpScriptsMCPServer) {
yaml.WriteString(line)
@@ -373,7 +373,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any,
if toolConfig.Script != "" {
// JavaScript tool
toolScript := GenerateMCPScriptJavaScriptToolScript(toolConfig)
- jsDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_JS_" + strings.ToUpper(toolName))
+ jsDelimiter := GenerateHeredocDelimiterFromSeed("MCP_SCRIPTS_JS_"+strings.ToUpper(toolName), workflowData.FrontmatterHash)
fmt.Fprintf(yaml, " cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/%s.cjs << '%s'\n", toolName, jsDelimiter)
for _, line := range FormatJavaScriptForYAML(toolScript) {
yaml.WriteString(line)
@@ -382,7 +382,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any,
} else if toolConfig.Run != "" {
// Shell script tool
toolScript := GenerateMCPScriptShellToolScript(toolConfig)
- shDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_SH_" + strings.ToUpper(toolName))
+ shDelimiter := GenerateHeredocDelimiterFromSeed("MCP_SCRIPTS_SH_"+strings.ToUpper(toolName), workflowData.FrontmatterHash)
fmt.Fprintf(yaml, " cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/%s.sh << '%s'\n", toolName, shDelimiter)
for line := range strings.SplitSeq(toolScript, "\n") {
yaml.WriteString(" " + line + "\n")
@@ -392,7 +392,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any,
} else if toolConfig.Py != "" {
// Python script tool
toolScript := GenerateMCPScriptPythonToolScript(toolConfig)
- pyDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_PY_" + strings.ToUpper(toolName))
+ pyDelimiter := GenerateHeredocDelimiterFromSeed("MCP_SCRIPTS_PY_"+strings.ToUpper(toolName), workflowData.FrontmatterHash)
fmt.Fprintf(yaml, " cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/%s.py << '%s'\n", toolName, pyDelimiter)
for line := range strings.SplitSeq(toolScript, "\n") {
yaml.WriteString(" " + line + "\n")
@@ -402,7 +402,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any,
} else if toolConfig.Go != "" {
// Go script tool
toolScript := GenerateMCPScriptGoToolScript(toolConfig)
- goDelimiter := GenerateHeredocDelimiter("MCP_SCRIPTS_GO_" + strings.ToUpper(toolName))
+ goDelimiter := GenerateHeredocDelimiterFromSeed("MCP_SCRIPTS_GO_"+strings.ToUpper(toolName), workflowData.FrontmatterHash)
fmt.Fprintf(yaml, " cat > ${RUNNER_TEMP}/gh-aw/mcp-scripts/%s.go << '%s'\n", toolName, goDelimiter)
for line := range strings.SplitSeq(toolScript, "\n") {
yaml.WriteString(" " + line + "\n")
diff --git a/pkg/workflow/safe_scripts_test.go b/pkg/workflow/safe_scripts_test.go
index 052b1eeceb0..8a6f58e07f1 100644
--- a/pkg/workflow/safe_scripts_test.go
+++ b/pkg/workflow/safe_scripts_test.go
@@ -338,7 +338,7 @@ func TestBuildCustomScriptFilesStep(t *testing.T) {
},
}
- steps := buildCustomScriptFilesStep(scripts)
+ steps := buildCustomScriptFilesStep(scripts, "")
require.NotEmpty(t, steps, "Should produce steps")
@@ -360,10 +360,10 @@ func TestBuildCustomScriptFilesStep(t *testing.T) {
// TestBuildCustomScriptFilesStepEmpty verifies nil return for empty scripts
func TestBuildCustomScriptFilesStepEmpty(t *testing.T) {
- steps := buildCustomScriptFilesStep(nil)
+ steps := buildCustomScriptFilesStep(nil, "")
assert.Nil(t, steps, "Should return nil for empty scripts")
- stepsEmpty := buildCustomScriptFilesStep(map[string]*SafeScriptConfig{})
+ stepsEmpty := buildCustomScriptFilesStep(map[string]*SafeScriptConfig{}, "")
assert.Nil(t, stepsEmpty, "Should return nil for empty map")
}
diff --git a/pkg/workflow/strings.go b/pkg/workflow/strings.go
index 4c168d6a128..c82b49d854e 100644
--- a/pkg/workflow/strings.go
+++ b/pkg/workflow/strings.go
@@ -79,7 +79,9 @@
package workflow
import (
+ "crypto/hmac"
"crypto/rand"
+ "crypto/sha256"
"encoding/hex"
"fmt"
"regexp"
@@ -300,6 +302,39 @@ func GenerateHeredocDelimiter(name string) string {
return "GH_AW_" + strings.ToUpper(name) + "_" + tag + "_EOF"
}
+// GenerateHeredocDelimiterFromSeed creates a stable heredoc delimiter derived from a seed
+// (typically the workflow frontmatter hash hex string) so that repeated compilations of the
+// same workflow produce identical lock files.
+//
+// When seed is non-empty, the 16-character hex tag is derived deterministically via
+// HMAC-SHA256(key=seed, data=UPPER(name)), taking the first 8 bytes of the MAC.
+// Using HMAC (with the seed as the key and the name as the message) avoids any
+// length-extension or concatenation-collision concerns. This preserves the
+// injection-resistance guarantee (an attacker who cannot control the frontmatter hash
+// cannot predict the delimiter) while also making the compiled output stable.
+//
+// When seed is empty, the function falls back to crypto/rand — the same behaviour as
+// GenerateHeredocDelimiter — so callers that lack a hash continue to work correctly.
+func GenerateHeredocDelimiterFromSeed(name string, seed string) string {
+ upperName := strings.ToUpper(name)
+ var tag string
+ if seed != "" {
+ mac := hmac.New(sha256.New, []byte(seed))
+ mac.Write([]byte(upperName))
+ tag = hex.EncodeToString(mac.Sum(nil)[:8]) // first 8 bytes → 16 hex chars
+ } else {
+ b := make([]byte, 8)
+ if _, err := rand.Read(b); err != nil {
+ panic("crypto/rand failed: " + err.Error())
+ }
+ tag = hex.EncodeToString(b)
+ }
+ if name == "" {
+ return "GH_AW_" + tag + "_EOF"
+ }
+ return "GH_AW_" + upperName + "_" + tag + "_EOF"
+}
+
// PrettifyToolName removes "mcp__" prefix and formats tool names nicely
func PrettifyToolName(toolName string) string {
// Handle MCP tools: "mcp__github__search_issues" -> "github_search_issues"
diff --git a/pkg/workflow/strings_test.go b/pkg/workflow/strings_test.go
index ce7ba948750..20796e120a7 100644
--- a/pkg/workflow/strings_test.go
+++ b/pkg/workflow/strings_test.go
@@ -660,3 +660,68 @@ func TestGenerateHeredocDelimiter_Uniqueness(t *testing.T) {
assert.NotEqual(t, result2, result3, "GenerateHeredocDelimiter should produce unique delimiters")
assert.NotEqual(t, result1, result3, "GenerateHeredocDelimiter should produce unique delimiters")
}
+
+func TestGenerateHeredocDelimiterFromSeed_Stability(t *testing.T) {
+ // Sample SHA-256 hex string representing a typical workflow frontmatter hash.
+ seed := "49266e50774d7e6a8b1c50f64b2f790c214dcdcf7b75b6bc8478bb43257b9863"
+
+ // Same seed and name must always produce the same delimiter (stable across compilations)
+ result1 := GenerateHeredocDelimiterFromSeed("PROMPT", seed)
+ result2 := GenerateHeredocDelimiterFromSeed("PROMPT", seed)
+ assert.Equal(t, result1, result2, "Same seed+name should produce identical delimiters")
+
+ // Format should still match the expected pattern
+ pattern := regexp.MustCompile(`^GH_AW_PROMPT_[0-9a-f]{16}_EOF$`)
+ assert.True(t, pattern.MatchString(result1), "Seeded delimiter should match expected format, got %q", result1)
+}
+
+func TestGenerateHeredocDelimiterFromSeed_DifferentNames(t *testing.T) {
+ // Sample SHA-256 hex string representing a typical workflow frontmatter hash.
+ seed := "49266e50774d7e6a8b1c50f64b2f790c214dcdcf7b75b6bc8478bb43257b9863"
+
+ // Different names with the same seed must produce different delimiters
+ promptDelim := GenerateHeredocDelimiterFromSeed("PROMPT", seed)
+ mcpDelim := GenerateHeredocDelimiterFromSeed("MCP_CONFIG", seed)
+ safeDelim := GenerateHeredocDelimiterFromSeed("SAFE_OUTPUTS_CONFIG", seed)
+
+ assert.NotEqual(t, promptDelim, mcpDelim, "Different names should produce different delimiters")
+ assert.NotEqual(t, mcpDelim, safeDelim, "Different names should produce different delimiters")
+ assert.NotEqual(t, promptDelim, safeDelim, "Different names should produce different delimiters")
+
+ assert.Contains(t, promptDelim, "GH_AW_PROMPT_", "Delimiter should contain the name")
+ assert.Contains(t, mcpDelim, "GH_AW_MCP_CONFIG_", "Delimiter should contain the name")
+ assert.Contains(t, safeDelim, "GH_AW_SAFE_OUTPUTS_CONFIG_", "Delimiter should contain the name")
+}
+
+func TestGenerateHeredocDelimiterFromSeed_DifferentSeeds(t *testing.T) {
+ // Sample SHA-256 hex strings representing two different workflow frontmatter hashes.
+ seed1 := "aaaa0000bbbb1111cccc2222dddd3333eeee4444ffff5555000011112222333344"
+ seed2 := "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"
+
+ // Different seeds with the same name must produce different delimiters
+ delim1 := GenerateHeredocDelimiterFromSeed("PROMPT", seed1)
+ delim2 := GenerateHeredocDelimiterFromSeed("PROMPT", seed2)
+
+ assert.NotEqual(t, delim1, delim2, "Different seeds should produce different delimiters")
+}
+
+func TestGenerateHeredocDelimiterFromSeed_EmptySeedFallback(t *testing.T) {
+ // Empty seed should fall back to crypto/rand — each call returns a different value
+ result1 := GenerateHeredocDelimiterFromSeed("PROMPT", "")
+ result2 := GenerateHeredocDelimiterFromSeed("PROMPT", "")
+
+ pattern := regexp.MustCompile(`^GH_AW_PROMPT_[0-9a-f]{16}_EOF$`)
+ assert.True(t, pattern.MatchString(result1), "Empty-seed delimiter should match expected format, got %q", result1)
+ assert.True(t, pattern.MatchString(result2), "Empty-seed delimiter should match expected format, got %q", result2)
+ assert.NotEqual(t, result1, result2, "Empty-seed should produce unique (random) delimiters")
+}
+
+func TestGenerateHeredocDelimiterFromSeed_EmptyName(t *testing.T) {
+ // Sample SHA-256 hex string representing a typical workflow frontmatter hash.
+ seed := "49266e50774d7e6a8b1c50f64b2f790c214dcdcf7b75b6bc8478bb43257b9863"
+
+ // Empty name should produce GH_AW_<16hex>_EOF (no name segment)
+ result := GenerateHeredocDelimiterFromSeed("", seed)
+ pattern := regexp.MustCompile(`^GH_AW_[0-9a-f]{16}_EOF$`)
+ assert.True(t, pattern.MatchString(result), "Empty-name seeded delimiter should match GH_AW__EOF, got %q", result)
+}
diff --git a/pkg/workflow/unified_prompt_step.go b/pkg/workflow/unified_prompt_step.go
index c13ebb2175e..4393356c332 100644
--- a/pkg/workflow/unified_prompt_step.go
+++ b/pkg/workflow/unified_prompt_step.go
@@ -290,7 +290,7 @@ func (c *Compiler) generateUnifiedPromptCreationStep(yaml *strings.Builder, buil
unifiedPromptLog.Printf("Built-in sections: %d, User prompt chunks: %d", len(builtinSections), len(userPromptChunks))
// Get the heredoc delimiter for consistent usage
- delimiter := GenerateHeredocDelimiter("PROMPT")
+ delimiter := GenerateHeredocDelimiterFromSeed("PROMPT", data.FrontmatterHash)
// Collect all environment variables from built-in sections and user prompt expressions
allEnvVars := make(map[string]string)