From 03a89606e2a6816c1e5e38866c127ac011b83f19 Mon Sep 17 00:00:00 2001 From: Don Syme Date: Wed, 3 Sep 2025 20:54:56 +0100 Subject: [PATCH 1/2] update GitHub MCP Server --- .../example-engine-network-permissions.lock.yml | 2 +- .github/workflows/issue-triage.lock.yml | 2 +- .../workflows/test-claude-add-issue-comment.lock.yml | 2 +- .../workflows/test-claude-add-issue-labels.lock.yml | 2 +- .github/workflows/test-claude-command.lock.yml | 2 +- .github/workflows/test-claude-create-issue.lock.yml | 2 +- .../test-claude-create-pull-request.lock.yml | 2 +- .github/workflows/test-claude-mcp.lock.yml | 2 +- .../workflows/test-claude-push-to-branch.lock.yml | 2 +- .github/workflows/test-claude-update-issue.lock.yml | 2 +- .../workflows/test-codex-add-issue-comment.lock.yml | 2 +- .../workflows/test-codex-add-issue-labels.lock.yml | 2 +- .github/workflows/test-codex-command.lock.yml | 2 +- .github/workflows/test-codex-create-issue.lock.yml | 2 +- .../test-codex-create-pull-request.lock.yml | 2 +- .github/workflows/test-codex-mcp.lock.yml | 2 +- .github/workflows/test-codex-push-to-branch.lock.yml | 2 +- .github/workflows/test-codex-update-issue.lock.yml | 2 +- .github/workflows/test-proxy.lock.yml | 2 +- .github/workflows/weekly-research.lock.yml | 2 +- docs/mcps.md | 4 ++-- pkg/parser/mcp.go | 2 +- pkg/parser/mcp_test.go | 4 ++-- pkg/workflow/compiler.go | 2 +- pkg/workflow/mcp_config_test.go | 12 ++++++------ 25 files changed, 32 insertions(+), 32 deletions(-) diff --git a/.github/workflows/example-engine-network-permissions.lock.yml b/.github/workflows/example-engine-network-permissions.lock.yml index 2dba6f898d2..217f1cac61c 100644 --- a/.github/workflows/example-engine-network-permissions.lock.yml +++ b/.github/workflows/example-engine-network-permissions.lock.yml @@ -146,7 +146,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/issue-triage.lock.yml b/.github/workflows/issue-triage.lock.yml index eee44b9e71f..e90a26bd5f9 100644 --- a/.github/workflows/issue-triage.lock.yml +++ b/.github/workflows/issue-triage.lock.yml @@ -45,7 +45,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/test-claude-add-issue-comment.lock.yml b/.github/workflows/test-claude-add-issue-comment.lock.yml index 00895d7c714..74e6ca75a99 100644 --- a/.github/workflows/test-claude-add-issue-comment.lock.yml +++ b/.github/workflows/test-claude-add-issue-comment.lock.yml @@ -234,7 +234,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/test-claude-add-issue-labels.lock.yml b/.github/workflows/test-claude-add-issue-labels.lock.yml index 23451b32279..b0fcc0411ae 100644 --- a/.github/workflows/test-claude-add-issue-labels.lock.yml +++ b/.github/workflows/test-claude-add-issue-labels.lock.yml @@ -234,7 +234,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/test-claude-command.lock.yml b/.github/workflows/test-claude-command.lock.yml index 61cb4cf19ad..c5f2fa185cf 100644 --- a/.github/workflows/test-claude-command.lock.yml +++ b/.github/workflows/test-claude-command.lock.yml @@ -472,7 +472,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/test-claude-create-issue.lock.yml b/.github/workflows/test-claude-create-issue.lock.yml index bd775ffd5db..6520e84d751 100644 --- a/.github/workflows/test-claude-create-issue.lock.yml +++ b/.github/workflows/test-claude-create-issue.lock.yml @@ -61,7 +61,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/test-claude-create-pull-request.lock.yml b/.github/workflows/test-claude-create-pull-request.lock.yml index d3dc1d6d688..7d1df245eb3 100644 --- a/.github/workflows/test-claude-create-pull-request.lock.yml +++ b/.github/workflows/test-claude-create-pull-request.lock.yml @@ -61,7 +61,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/test-claude-mcp.lock.yml b/.github/workflows/test-claude-mcp.lock.yml index fdc53158926..0b94ec00c75 100644 --- a/.github/workflows/test-claude-mcp.lock.yml +++ b/.github/workflows/test-claude-mcp.lock.yml @@ -231,7 +231,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/test-claude-push-to-branch.lock.yml b/.github/workflows/test-claude-push-to-branch.lock.yml index 3ea2fd300bc..ac54ae54820 100644 --- a/.github/workflows/test-claude-push-to-branch.lock.yml +++ b/.github/workflows/test-claude-push-to-branch.lock.yml @@ -111,7 +111,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/test-claude-update-issue.lock.yml b/.github/workflows/test-claude-update-issue.lock.yml index 1157c275078..2b7d8ba6940 100644 --- a/.github/workflows/test-claude-update-issue.lock.yml +++ b/.github/workflows/test-claude-update-issue.lock.yml @@ -234,7 +234,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/test-codex-add-issue-comment.lock.yml b/.github/workflows/test-codex-add-issue-comment.lock.yml index da8a1482544..0158fe89687 100644 --- a/.github/workflows/test-codex-add-issue-comment.lock.yml +++ b/.github/workflows/test-codex-add-issue-comment.lock.yml @@ -241,7 +241,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ] env = { "GITHUB_PERSONAL_ACCESS_TOKEN" = "${{ secrets.GITHUB_TOKEN }}" } EOF diff --git a/.github/workflows/test-codex-add-issue-labels.lock.yml b/.github/workflows/test-codex-add-issue-labels.lock.yml index a4618034aeb..cbbd91370eb 100644 --- a/.github/workflows/test-codex-add-issue-labels.lock.yml +++ b/.github/workflows/test-codex-add-issue-labels.lock.yml @@ -241,7 +241,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ] env = { "GITHUB_PERSONAL_ACCESS_TOKEN" = "${{ secrets.GITHUB_TOKEN }}" } EOF diff --git a/.github/workflows/test-codex-command.lock.yml b/.github/workflows/test-codex-command.lock.yml index 6ff932c72f6..be0e7bca91b 100644 --- a/.github/workflows/test-codex-command.lock.yml +++ b/.github/workflows/test-codex-command.lock.yml @@ -472,7 +472,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/test-codex-create-issue.lock.yml b/.github/workflows/test-codex-create-issue.lock.yml index 2570f47854b..73038ac2c3c 100644 --- a/.github/workflows/test-codex-create-issue.lock.yml +++ b/.github/workflows/test-codex-create-issue.lock.yml @@ -68,7 +68,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ] env = { "GITHUB_PERSONAL_ACCESS_TOKEN" = "${{ secrets.GITHUB_TOKEN }}" } EOF diff --git a/.github/workflows/test-codex-create-pull-request.lock.yml b/.github/workflows/test-codex-create-pull-request.lock.yml index 502ae2845e9..e03dd68e1f4 100644 --- a/.github/workflows/test-codex-create-pull-request.lock.yml +++ b/.github/workflows/test-codex-create-pull-request.lock.yml @@ -68,7 +68,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ] env = { "GITHUB_PERSONAL_ACCESS_TOKEN" = "${{ secrets.GITHUB_TOKEN }}" } EOF diff --git a/.github/workflows/test-codex-mcp.lock.yml b/.github/workflows/test-codex-mcp.lock.yml index f5d971756df..4925e71674a 100644 --- a/.github/workflows/test-codex-mcp.lock.yml +++ b/.github/workflows/test-codex-mcp.lock.yml @@ -238,7 +238,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ] env = { "GITHUB_PERSONAL_ACCESS_TOKEN" = "${{ secrets.GITHUB_TOKEN }}" } diff --git a/.github/workflows/test-codex-push-to-branch.lock.yml b/.github/workflows/test-codex-push-to-branch.lock.yml index 2d8440db84e..52ba3527260 100644 --- a/.github/workflows/test-codex-push-to-branch.lock.yml +++ b/.github/workflows/test-codex-push-to-branch.lock.yml @@ -118,7 +118,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ] env = { "GITHUB_PERSONAL_ACCESS_TOKEN" = "${{ secrets.GITHUB_TOKEN }}" } EOF diff --git a/.github/workflows/test-codex-update-issue.lock.yml b/.github/workflows/test-codex-update-issue.lock.yml index 9e6c76fcbeb..ad4b0b64b4a 100644 --- a/.github/workflows/test-codex-update-issue.lock.yml +++ b/.github/workflows/test-codex-update-issue.lock.yml @@ -241,7 +241,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ] env = { "GITHUB_PERSONAL_ACCESS_TOKEN" = "${{ secrets.GITHUB_TOKEN }}" } EOF diff --git a/.github/workflows/test-proxy.lock.yml b/.github/workflows/test-proxy.lock.yml index 7862e2149da..c212947c47c 100644 --- a/.github/workflows/test-proxy.lock.yml +++ b/.github/workflows/test-proxy.lock.yml @@ -208,7 +208,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/weekly-research.lock.yml b/.github/workflows/weekly-research.lock.yml index 2444c41e5f6..731b3d98c47 100644 --- a/.github/workflows/weekly-research.lock.yml +++ b/.github/workflows/weekly-research.lock.yml @@ -44,7 +44,7 @@ jobs: "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae" + "ghcr.io/github/github-mcp-server:sha-09deac4" ], "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}" diff --git a/docs/mcps.md b/docs/mcps.md index a1b93355b33..245b88fa05c 100644 --- a/docs/mcps.md +++ b/docs/mcps.md @@ -139,11 +139,11 @@ You can configure the docker image version for GitHub tools: ```yaml tools: github: - docker_image_version: "sha-45e90ae" # Optional: specify version + docker_image_version: "sha-09deac4" # Optional: specify version ``` **Configuration Options**: -- `docker_image_version`: Docker image version (default: `"sha-45e90ae"`) +- `docker_image_version`: Docker image version (default: `"sha-09deac4"`) ## Tool Allow-listing diff --git a/pkg/parser/mcp.go b/pkg/parser/mcp.go index 63964204400..edcd967e0bf 100644 --- a/pkg/parser/mcp.go +++ b/pkg/parser/mcp.go @@ -83,7 +83,7 @@ func ExtractMCPConfigurations(frontmatter map[string]any, serverFilter string) ( Command: "docker", Args: []string{ "run", "-i", "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae", + "ghcr.io/github/github-mcp-server:sha-09deac4", }, Env: make(map[string]string), } diff --git a/pkg/parser/mcp_test.go b/pkg/parser/mcp_test.go index a1be7de942a..37f2415939b 100644 --- a/pkg/parser/mcp_test.go +++ b/pkg/parser/mcp_test.go @@ -41,7 +41,7 @@ func TestExtractMCPConfigurations(t *testing.T) { Command: "docker", Args: []string{ "run", "-i", "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae", + "ghcr.io/github/github-mcp-server:sha-09deac4", }, Env: map[string]string{"GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN_REQUIRED}"}, Allowed: []string{}, @@ -202,7 +202,7 @@ func TestExtractMCPConfigurations(t *testing.T) { Command: "docker", Args: []string{ "run", "-i", "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", - "ghcr.io/github/github-mcp-server:sha-45e90ae", + "ghcr.io/github/github-mcp-server:sha-09deac4", }, Env: map[string]string{"GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN_REQUIRED}"}, Allowed: []string{}, diff --git a/pkg/workflow/compiler.go b/pkg/workflow/compiler.go index f618b2235f7..1f5190d643c 100644 --- a/pkg/workflow/compiler.go +++ b/pkg/workflow/compiler.go @@ -2249,7 +2249,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, } func getGitHubDockerImageVersion(githubTool any) string { - githubDockerImageVersion := "sha-45e90ae" // Default Docker image version + githubDockerImageVersion := "sha-09deac4" // Default Docker image version // Extract docker_image_version setting from tool properties if toolConfig, ok := githubTool.(map[string]any); ok { if versionSetting, exists := toolConfig["docker_image_version"]; exists { diff --git a/pkg/workflow/mcp_config_test.go b/pkg/workflow/mcp_config_test.go index 74d1835a5f2..c71e261928b 100644 --- a/pkg/workflow/mcp_config_test.go +++ b/pkg/workflow/mcp_config_test.go @@ -35,7 +35,7 @@ tools: // With Docker MCP always enabled, default is docker (not services) expectedType: "docker", expectedCommand: "docker", - expectedDockerImage: "ghcr.io/github/github-mcp-server:sha-45e90ae", + expectedDockerImage: "ghcr.io/github/github-mcp-server:sha-09deac4", }, { name: "custom docker image version", @@ -205,7 +205,7 @@ func TestGenerateGitHubMCPConfig(t *testing.T) { if !strings.Contains(result, `"command": "docker"`) { t.Errorf("Expected Docker command but got:\n%s", result) } - if !strings.Contains(result, `"ghcr.io/github/github-mcp-server:sha-45e90ae"`) { + if !strings.Contains(result, `"ghcr.io/github/github-mcp-server:sha-09deac4"`) { t.Errorf("Expected Docker image but got:\n%s", result) } if strings.Contains(result, `"type": "http"`) { @@ -288,7 +288,7 @@ tools: args: ["run", "-i", "--rm", "custom/mcp-server:latest"] ---`, expectedType: "docker", // GitHub always uses docker now - expectedDockerImage: "sha-45e90ae", // Default version + expectedDockerImage: "sha-09deac4", // Default version }, { name: "custom docker MCP with default settings", @@ -303,7 +303,7 @@ tools: args: ["run", "-i", "--rm", "custom/mcp-server:latest"] ---`, expectedType: "docker", // Services mode removed - always Docker - expectedDockerImage: "sha-45e90ae", // Default version + expectedDockerImage: "sha-09deac4", // Default version }, { name: "custom docker MCP with different settings", @@ -318,7 +318,7 @@ tools: args: ["run", "-i", "--rm", "custom/mcp-server:latest"] ---`, expectedType: "docker", - expectedDockerImage: "sha-45e90ae", // Default version + expectedDockerImage: "sha-09deac4", // Default version }, { name: "mixed MCP configuration with defaults", @@ -338,7 +338,7 @@ tools: args: ["run", "-i", "--rm", "-v", "/tmp:/workspace", "custom/tool:latest"] ---`, expectedType: "docker", // GitHub should now use docker by default (not services) - expectedDockerImage: "sha-45e90ae", // Default version + expectedDockerImage: "sha-09deac4", // Default version }, { name: "custom docker MCP with custom Docker image version", From b5d51e906bd9decdba2edd439290f17fa2979d6c Mon Sep 17 00:00:00 2001 From: Don Syme Date: Wed, 3 Sep 2025 22:42:56 +0100 Subject: [PATCH 2/2] don't give GH_TOKEN to claude --- ...xample-engine-network-permissions.lock.yml | 2 -- .github/workflows/issue-triage.lock.yml | 2 -- .../test-claude-add-issue-comment.lock.yml | 1 - .../test-claude-add-issue-labels.lock.yml | 1 - .../workflows/test-claude-command.lock.yml | 1 - .../test-claude-create-issue.lock.yml | 1 - .../test-claude-create-pull-request.lock.yml | 1 - .github/workflows/test-claude-mcp.lock.yml | 1 - .../test-claude-push-to-branch.lock.yml | 1 - .../test-claude-update-issue.lock.yml | 1 - .github/workflows/test-codex-command.lock.yml | 1 - .github/workflows/test-proxy.lock.yml | 1 - .github/workflows/weekly-research.lock.yml | 2 -- docs/safe-outputs.md | 11 ++++++++ pkg/workflow/claude_engine.go | 25 +++++++++++-------- pkg/workflow/claude_engine_network_test.go | 9 +++++-- pkg/workflow/claude_engine_test.go | 19 ++++++++------ pkg/workflow/compiler.go | 7 +++++- 18 files changed, 50 insertions(+), 37 deletions(-) diff --git a/.github/workflows/example-engine-network-permissions.lock.yml b/.github/workflows/example-engine-network-permissions.lock.yml index 217f1cac61c..1a7f15a4dc2 100644 --- a/.github/workflows/example-engine-network-permissions.lock.yml +++ b/.github/workflows/example-engine-network-permissions.lock.yml @@ -270,8 +270,6 @@ jobs: # - mcp__github__search_users allowed_tools: "ExitPlanMode,Glob,Grep,LS,NotebookRead,Read,Task,TodoWrite,WebFetch,WebSearch,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__get_job_logs,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issues,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_secret_scanning_alerts,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} - claude_env: | - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} mcp_config: /tmp/mcp-config/mcp-servers.json prompt_file: /tmp/aw-prompts/prompt.txt settings: .claude/settings.json diff --git a/.github/workflows/issue-triage.lock.yml b/.github/workflows/issue-triage.lock.yml index e90a26bd5f9..43ee52d4971 100644 --- a/.github/workflows/issue-triage.lock.yml +++ b/.github/workflows/issue-triage.lock.yml @@ -284,8 +284,6 @@ jobs: # - mcp__github__update_issue allowed_tools: "Bash(echo:*),Bash(gh label list:*),Bash(gh label view:*),Edit,ExitPlanMode,Glob,Grep,LS,MultiEdit,NotebookRead,Read,Task,TodoWrite,WebFetch,WebSearch,Write,mcp__github__add_issue_comment,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__get_job_logs,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issues,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_secret_scanning_alerts,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__github__update_issue" anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} - claude_env: | - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} mcp_config: /tmp/mcp-config/mcp-servers.json prompt_file: /tmp/aw-prompts/prompt.txt timeout_minutes: 10 diff --git a/.github/workflows/test-claude-add-issue-comment.lock.yml b/.github/workflows/test-claude-add-issue-comment.lock.yml index 74e6ca75a99..cc12f83cce8 100644 --- a/.github/workflows/test-claude-add-issue-comment.lock.yml +++ b/.github/workflows/test-claude-add-issue-comment.lock.yml @@ -389,7 +389,6 @@ jobs: allowed_tools: "ExitPlanMode,Glob,Grep,LS,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__get_job_logs,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issues,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_secret_scanning_alerts,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} claude_env: | - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} mcp_config: /tmp/mcp-config/mcp-servers.json prompt_file: /tmp/aw-prompts/prompt.txt diff --git a/.github/workflows/test-claude-add-issue-labels.lock.yml b/.github/workflows/test-claude-add-issue-labels.lock.yml index b0fcc0411ae..74d3f97d6ed 100644 --- a/.github/workflows/test-claude-add-issue-labels.lock.yml +++ b/.github/workflows/test-claude-add-issue-labels.lock.yml @@ -389,7 +389,6 @@ jobs: allowed_tools: "ExitPlanMode,Glob,Grep,LS,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__get_job_logs,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issues,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_secret_scanning_alerts,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} claude_env: | - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} mcp_config: /tmp/mcp-config/mcp-servers.json prompt_file: /tmp/aw-prompts/prompt.txt diff --git a/.github/workflows/test-claude-command.lock.yml b/.github/workflows/test-claude-command.lock.yml index c5f2fa185cf..53af18c3c81 100644 --- a/.github/workflows/test-claude-command.lock.yml +++ b/.github/workflows/test-claude-command.lock.yml @@ -627,7 +627,6 @@ jobs: allowed_tools: "ExitPlanMode,Glob,Grep,LS,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__get_job_logs,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issues,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_secret_scanning_alerts,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} claude_env: | - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} mcp_config: /tmp/mcp-config/mcp-servers.json prompt_file: /tmp/aw-prompts/prompt.txt diff --git a/.github/workflows/test-claude-create-issue.lock.yml b/.github/workflows/test-claude-create-issue.lock.yml index 6520e84d751..ea0145d9f91 100644 --- a/.github/workflows/test-claude-create-issue.lock.yml +++ b/.github/workflows/test-claude-create-issue.lock.yml @@ -218,7 +218,6 @@ jobs: allowed_tools: "ExitPlanMode,Glob,Grep,LS,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__get_job_logs,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issues,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_secret_scanning_alerts,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} claude_env: | - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} mcp_config: /tmp/mcp-config/mcp-servers.json prompt_file: /tmp/aw-prompts/prompt.txt diff --git a/.github/workflows/test-claude-create-pull-request.lock.yml b/.github/workflows/test-claude-create-pull-request.lock.yml index 7d1df245eb3..5ed650bcee3 100644 --- a/.github/workflows/test-claude-create-pull-request.lock.yml +++ b/.github/workflows/test-claude-create-pull-request.lock.yml @@ -235,7 +235,6 @@ jobs: allowed_tools: "Bash(git add:*),Bash(git branch:*),Bash(git checkout:*),Bash(git commit:*),Bash(git merge:*),Bash(git rm:*),Bash(git switch:*),Edit,ExitPlanMode,Glob,Grep,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__get_job_logs,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issues,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_secret_scanning_alerts,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} claude_env: | - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} mcp_config: /tmp/mcp-config/mcp-servers.json prompt_file: /tmp/aw-prompts/prompt.txt diff --git a/.github/workflows/test-claude-mcp.lock.yml b/.github/workflows/test-claude-mcp.lock.yml index 0b94ec00c75..739508c6b13 100644 --- a/.github/workflows/test-claude-mcp.lock.yml +++ b/.github/workflows/test-claude-mcp.lock.yml @@ -411,7 +411,6 @@ jobs: allowed_tools: "ExitPlanMode,Glob,Grep,LS,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__get_job_logs,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issues,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_secret_scanning_alerts,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__time__get_current_time" anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} claude_env: | - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} mcp_config: /tmp/mcp-config/mcp-servers.json prompt_file: /tmp/aw-prompts/prompt.txt diff --git a/.github/workflows/test-claude-push-to-branch.lock.yml b/.github/workflows/test-claude-push-to-branch.lock.yml index ac54ae54820..5d42e92e5e2 100644 --- a/.github/workflows/test-claude-push-to-branch.lock.yml +++ b/.github/workflows/test-claude-push-to-branch.lock.yml @@ -318,7 +318,6 @@ jobs: allowed_tools: "Bash(git add:*),Bash(git branch:*),Bash(git checkout:*),Bash(git commit:*),Bash(git merge:*),Bash(git rm:*),Bash(git switch:*),Edit,ExitPlanMode,Glob,Grep,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__get_job_logs,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issues,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_secret_scanning_alerts,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} claude_env: | - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} mcp_config: /tmp/mcp-config/mcp-servers.json prompt_file: /tmp/aw-prompts/prompt.txt diff --git a/.github/workflows/test-claude-update-issue.lock.yml b/.github/workflows/test-claude-update-issue.lock.yml index 2b7d8ba6940..38c033cb0b6 100644 --- a/.github/workflows/test-claude-update-issue.lock.yml +++ b/.github/workflows/test-claude-update-issue.lock.yml @@ -392,7 +392,6 @@ jobs: allowed_tools: "ExitPlanMode,Glob,Grep,LS,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__get_job_logs,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issues,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_secret_scanning_alerts,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} claude_env: | - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} mcp_config: /tmp/mcp-config/mcp-servers.json prompt_file: /tmp/aw-prompts/prompt.txt diff --git a/.github/workflows/test-codex-command.lock.yml b/.github/workflows/test-codex-command.lock.yml index be0e7bca91b..61b317b0f1c 100644 --- a/.github/workflows/test-codex-command.lock.yml +++ b/.github/workflows/test-codex-command.lock.yml @@ -627,7 +627,6 @@ jobs: allowed_tools: "ExitPlanMode,Glob,Grep,LS,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__get_job_logs,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issues,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_secret_scanning_alerts,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} claude_env: | - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} mcp_config: /tmp/mcp-config/mcp-servers.json prompt_file: /tmp/aw-prompts/prompt.txt diff --git a/.github/workflows/test-proxy.lock.yml b/.github/workflows/test-proxy.lock.yml index c212947c47c..cd4c4e8b6be 100644 --- a/.github/workflows/test-proxy.lock.yml +++ b/.github/workflows/test-proxy.lock.yml @@ -389,7 +389,6 @@ jobs: allowed_tools: "ExitPlanMode,Glob,Grep,LS,NotebookRead,Read,Task,TodoWrite,Write,mcp__fetch__fetch,mcp__github__create_comment,mcp__github__create_issue,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__get_job_logs,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issues,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_secret_scanning_alerts,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} claude_env: | - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} mcp_config: /tmp/mcp-config/mcp-servers.json prompt_file: /tmp/aw-prompts/prompt.txt diff --git a/.github/workflows/weekly-research.lock.yml b/.github/workflows/weekly-research.lock.yml index 731b3d98c47..a0ffb27b648 100644 --- a/.github/workflows/weekly-research.lock.yml +++ b/.github/workflows/weekly-research.lock.yml @@ -253,8 +253,6 @@ jobs: # - mcp__github__search_users allowed_tools: "Bash(echo:*),Bash(gh label list:*),Bash(gh label view:*),Edit,ExitPlanMode,Glob,Grep,LS,MultiEdit,NotebookRead,Read,Task,TodoWrite,WebFetch,WebSearch,Write,mcp__github__create_issue,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__get_job_logs,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issues,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_secret_scanning_alerts,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} - claude_env: | - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} mcp_config: /tmp/mcp-config/mcp-servers.json prompt_file: /tmp/aw-prompts/prompt.txt timeout_minutes: 15 diff --git a/docs/safe-outputs.md b/docs/safe-outputs.md index 01ff79ae102..1e130f525a0 100644 --- a/docs/safe-outputs.md +++ b/docs/safe-outputs.md @@ -2,6 +2,17 @@ One of the primary security features of GitHub Agentic Workflows is "safe output processing", enabling the creation of GitHub issues, comments, pull requests, and other outputs without giving the agentic portion of the workflow write permissions. +## Available Safe Output Types + +| Output Type | Configuration Key | Description | Default Max | +|-------------|------------------|-------------|-------------| +| **New Issue Creation** | `create-issue:` | Create GitHub issues based on workflow output | 1 | +| **Issue Comments** | `add-issue-comment:` | Post comments on issues or pull requests | 1 | +| **Pull Request Creation** | `create-pull-request:` | Create pull requests with code changes | 1 | +| **Label Addition** | `add-issue-label:` | Add labels to issues or pull requests | 3 | +| **Issue Updates** | `update-issue:` | Update issue status, title, or body | 1 | +| **Push to Branch** | `push-to-branch:` | Push changes directly to a branch | 1 | + ## Overview (`safe-outputs:`) The `safe-outputs:` element of your workflow's frontmatter declares that your agentic workflow should conclude with optional automated actions based on the agentic workflow's output. This enables your workflow to write content that is then automatically processed to create GitHub issues, comments, pull requests, or add labels—all without giving the agentic portion of the workflow any write permissions. diff --git a/pkg/workflow/claude_engine.go b/pkg/workflow/claude_engine.go index 12f2cfdb444..000ba25cb5a 100644 --- a/pkg/workflow/claude_engine.go +++ b/pkg/workflow/claude_engine.go @@ -66,23 +66,26 @@ func (e *ClaudeEngine) GetExecutionConfig(workflowName string, logFile string, e } // Build claude_env based on hasOutput parameter - claudeEnv := "|\n GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}" + claudeEnv := "" if hasOutput { - claudeEnv += "\n GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }}" + claudeEnv += " GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }}" } + inputs := map[string]string{ + "prompt_file": "/tmp/aw-prompts/prompt.txt", + "anthropic_api_key": "${{ secrets.ANTHROPIC_API_KEY }}", + "mcp_config": "/tmp/mcp-config/mcp-servers.json", + "allowed_tools": "", // Will be filled in during generation + "timeout_minutes": "", // Will be filled in during generation + "max_turns": "", // Will be filled in during generation + } + if claudeEnv != "" { + inputs["claude_env"] = "|\n" + claudeEnv + } config := ExecutionConfig{ StepName: "Execute Claude Code Action", Action: fmt.Sprintf("anthropics/claude-code-base-action@%s", actionVersion), - Inputs: map[string]string{ - "prompt_file": "/tmp/aw-prompts/prompt.txt", - "anthropic_api_key": "${{ secrets.ANTHROPIC_API_KEY }}", - "mcp_config": "/tmp/mcp-config/mcp-servers.json", - "claude_env": claudeEnv, - "allowed_tools": "", // Will be filled in during generation - "timeout_minutes": "", // Will be filled in during generation - "max_turns": "", // Will be filled in during generation - }, + Inputs: inputs, } // Add model configuration if specified diff --git a/pkg/workflow/claude_engine_network_test.go b/pkg/workflow/claude_engine_network_test.go index 0ad521616ba..f3bced7d4ad 100644 --- a/pkg/workflow/claude_engine_network_test.go +++ b/pkg/workflow/claude_engine_network_test.go @@ -108,13 +108,18 @@ func TestClaudeEngineNetworkPermissions(t *testing.T) { t.Errorf("Expected model 'claude-3-5-sonnet-20241022', got '%s'", execConfig.Inputs["model"]) } - // Verify other expected inputs are present - expectedInputs := []string{"prompt_file", "anthropic_api_key", "mcp_config", "claude_env", "allowed_tools", "timeout_minutes", "max_turns"} + // Verify other expected inputs are present (except claude_env when hasOutput=false for security) + expectedInputs := []string{"prompt_file", "anthropic_api_key", "mcp_config", "allowed_tools", "timeout_minutes", "max_turns"} for _, input := range expectedInputs { if _, exists := execConfig.Inputs[input]; !exists { t.Errorf("Expected input '%s' should be present", input) } } + + // claude_env should not be present when hasOutput=false (security improvement) + if _, hasClaudeEnv := execConfig.Inputs["claude_env"]; hasClaudeEnv { + t.Errorf("Expected no claude_env input for security reasons when hasOutput=false") + } }) t.Run("ExecutionConfig with empty network permissions", func(t *testing.T) { diff --git a/pkg/workflow/claude_engine_test.go b/pkg/workflow/claude_engine_test.go index b7e27b586a1..930cc0cf6b3 100644 --- a/pkg/workflow/claude_engine_test.go +++ b/pkg/workflow/claude_engine_test.go @@ -62,9 +62,9 @@ func TestClaudeEngine(t *testing.T) { t.Errorf("Expected mcp_config input, got '%s'", config.Inputs["mcp_config"]) } - expectedClaudeEnv := "|\n GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}" - if config.Inputs["claude_env"] != expectedClaudeEnv { - t.Errorf("Expected claude_env input '%s', got '%s'", expectedClaudeEnv, config.Inputs["claude_env"]) + // claude_env should not be present when hasOutput=false (security improvement) + if _, hasClaudeEnv := config.Inputs["claude_env"]; hasClaudeEnv { + t.Errorf("Expected no claude_env input for security reasons, but got: '%s'", config.Inputs["claude_env"]) } // Check that special fields are present but empty (will be filled during generation) @@ -87,8 +87,8 @@ func TestClaudeEngineWithOutput(t *testing.T) { // Test execution config with hasOutput=true config := engine.GetExecutionConfig("test-workflow", "test-log", nil, true) - // Should include GITHUB_AW_SAFE_OUTPUTS when hasOutput=true - expectedClaudeEnv := "|\n GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }}" + // Should include GITHUB_AW_SAFE_OUTPUTS when hasOutput=true, but no GH_TOKEN for security + expectedClaudeEnv := "|\n GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }}" if config.Inputs["claude_env"] != expectedClaudeEnv { t.Errorf("Expected claude_env input with output '%s', got '%s'", expectedClaudeEnv, config.Inputs["claude_env"]) } @@ -120,13 +120,18 @@ func TestClaudeEngineConfiguration(t *testing.T) { t.Errorf("Expected action 'anthropics/claude-code-base-action@%s', got '%s'", DefaultClaudeActionVersion, config.Action) } - // Verify all required inputs are present - requiredInputs := []string{"prompt_file", "anthropic_api_key", "mcp_config", "claude_env", "allowed_tools", "timeout_minutes", "max_turns"} + // Verify all required inputs are present (except claude_env when hasOutput=false for security) + requiredInputs := []string{"prompt_file", "anthropic_api_key", "mcp_config", "allowed_tools", "timeout_minutes", "max_turns"} for _, input := range requiredInputs { if _, exists := config.Inputs[input]; !exists { t.Errorf("Expected input '%s' to be present", input) } } + + // claude_env should not be present when hasOutput=false (security improvement) + if _, hasClaudeEnv := config.Inputs["claude_env"]; hasClaudeEnv { + t.Errorf("Expected no claude_env input for security reasons when hasOutput=false") + } }) } } diff --git a/pkg/workflow/compiler.go b/pkg/workflow/compiler.go index 1f5190d643c..e7d39199333 100644 --- a/pkg/workflow/compiler.go +++ b/pkg/workflow/compiler.go @@ -3151,7 +3151,12 @@ func (c *Compiler) generateEngineExecutionSteps(yaml *strings.Builder, data *Wor fmt.Fprintf(yaml, " max_turns: %s\n", data.EngineConfig.MaxTurns) } } else if value != "" { - fmt.Fprintf(yaml, " %s: %s\n", key, value) + if strings.HasPrefix(value, "|") { + // For YAML literal block scalars, add proper newline after the content + fmt.Fprintf(yaml, " %s: %s\n", key, value) + } else { + fmt.Fprintf(yaml, " %s: %s\n", key, value) + } } } // Add environment section to pass GITHUB_AW_SAFE_OUTPUTS to the action only if safe-outputs feature is used