From 185efd34d7d135e62ab8ca73eac891108fd8804f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 27 May 2026 20:06:47 +0000 Subject: [PATCH 1/4] Initial plan From ce5e5c639885eefc2008d8f2a05bbee3b43a30ca Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 27 May 2026 20:23:36 +0000 Subject: [PATCH 2/4] Fix malformed version error: set GH_HOST to identity host in proxyEnvVars() The DIFC proxy was injecting GH_HOST=localhost:18443 as step-level env on custom steps. The gh CLI treats any non-github.com/non-*.ghe.com host as GHES and performs a /meta version check before --repo calls. The proxy forwards the check to github.com, which omits installed_version, causing gh to fail with "malformed version: ". Fix: use ${{ env.GH_HOST || 'github.com' }} instead of localhost:18443. This picks up the identity host set by configure_gh_for_ghe.sh: - github.com/GHEC: gh skips the GHES version check entirely - GHES: gh does the version check via GITHUB_API_URL (proxy -> real GHES) All API traffic continues to flow through the proxy via GITHUB_API_URL. Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- .../patch-fix-difc-proxy-gh-host-mismatch.md | 9 ++- pkg/workflow/compiler_difc_proxy.go | 55 ++++++++++++++++--- pkg/workflow/compiler_difc_proxy_test.go | 23 ++++---- 3 files changed, 66 insertions(+), 21 deletions(-) diff --git a/.changeset/patch-fix-difc-proxy-gh-host-mismatch.md b/.changeset/patch-fix-difc-proxy-gh-host-mismatch.md index ab0bc95fa4c..cd28856fb2e 100644 --- a/.changeset/patch-fix-difc-proxy-gh-host-mismatch.md +++ b/.changeset/patch-fix-difc-proxy-gh-host-mismatch.md @@ -2,6 +2,11 @@ "gh-aw": patch --- -Fix GH_HOST mismatch when DIFC proxy is active with user-defined setup steps: inject a "Derive GH_HOST for setup steps" step immediately after `start_difc_proxy.sh` and before user-defined `steps:`. The proxy sets `GH_HOST=localhost:18443` in `GITHUB_ENV`, which broke `gh` CLI calls in custom steps because the host didn't match the checkout remote. The new step re-derives `GH_HOST` from `GITHUB_SERVER_URL` (GHEC-safe), restoring the correct value for all subsequent user-defined steps while API calls continue to route through the proxy via `GITHUB_API_URL`/`GITHUB_GRAPHQL_URL`. +Fix `malformed version:` error for `gh --repo` commands in user-defined steps when the DIFC proxy is active. -Also remove the hardcoded `GH_HOST: github.com` step-level env override from the `Install GitHub Copilot CLI` step. The override was unnecessary (the install script uses hardcoded `curl` URLs and does not use `gh` CLI) and caused issues on GHEC where the correct host should be derived from `GITHUB_SERVER_URL`. +**Root cause**: `proxyEnvVars()` injected `GH_HOST=localhost:18443` as step-level env on every custom step. The `gh` CLI treats any host that is not `github.com` or `*.ghe.com` as GitHub Enterprise Server (GHES) and performs a `/meta` version check before each `--repo` call. The DIFC proxy forwards the check to the upstream (github.com), which returns `/meta` without `installed_version`. The `gh` CLI rejects the empty version string with `malformed version: ` and aborts. + +**Fix**: Change `GH_HOST` in `proxyEnvVars()` from `localhost:18443` to `${{ env.GH_HOST || 'github.com' }}`. This uses the identity host written to `GITHUB_ENV` by the preceding `configure_gh_for_ghe.sh` step, with a `github.com` fallback: + +- **github.com / GHEC (`*.ghe.com`)**: `GH_HOST` resolves to `github.com` or the GHEC tenant hostname. The `gh` CLI skips the GHES version check entirely. All API traffic still routes through the proxy via `GITHUB_API_URL`. +- **GHES**: `GH_HOST` resolves to the real GHES hostname. The `gh` CLI performs the GHES version check via `GITHUB_API_URL` (the proxy), which forwards the `/meta` request to the real GHES upstream. The GHES response includes `installed_version`, so the check passes. diff --git a/pkg/workflow/compiler_difc_proxy.go b/pkg/workflow/compiler_difc_proxy.go index c6338f89995..2860910b07c 100644 --- a/pkg/workflow/compiler_difc_proxy.go +++ b/pkg/workflow/compiler_difc_proxy.go @@ -27,10 +27,11 @@ package workflow // Proxy lifecycle within the main job: // 1. Start proxy — after "Configure gh CLI" step, before custom steps // 2. Custom steps run with step-level env blocks containing GH_HOST, GH_REPO, -// GITHUB_API_URL, GITHUB_GRAPHQL_URL, and NODE_EXTRA_CA_CERTS. These are -// injected by the compiler as step-level env (not via $GITHUB_ENV), so they -// take precedence over job-level env without mutating global state. GHE host -// values set by configure_gh_for_ghe.sh are preserved for non-proxied steps. +// GITHUB_API_URL, GITHUB_GRAPHQL_URL, and NODE_EXTRA_CA_CERTS. GH_HOST is +// set to the identity host from configure_gh_for_ghe.sh (github.com on +// public GitHub, the real GHES/GHEC hostname on enterprise deployments) so +// the gh CLI skips spurious version checks against the proxy. API traffic +// always routes through the proxy via GITHUB_API_URL / GITHUB_GRAPHQL_URL. // 3. Stop proxy — before MCP gateway starts (generateMCPSetup); always runs // even if earlier steps failed (if: always(), continue-on-error: true) // @@ -280,12 +281,45 @@ func (c *Compiler) generateStartDIFCProxyStep(yaml *strings.Builder, data *Workf // proxyEnvVars returns the env vars to inject as step-level env on each custom step // when the DIFC proxy is running. // -// These override $GITHUB_ENV values (such as GH_HOST=myorg.ghe.com on GHE runners) -// without mutating global state. Steps that do not need the proxy (e.g., after -// stop_difc_proxy.sh) continue to see the original job-level env values. +// # GH_HOST value rationale +// +// GH_HOST must NOT be set to the proxy address (localhost:18443) because the gh +// CLI treats any host that is not github.com or *.ghe.com as GitHub Enterprise +// Server (GHES) and performs a version check by calling GET /api/v3/meta before +// every API request made with --repo. The DIFC proxy does not return the +// installed_version field that GHES instances include in /meta; the upstream +// github.com /meta response omits it, so gh rejects the response as +// "malformed version: " and aborts — crashing every gh --repo call in +// user-defined steps. +// +// The correct value for GH_HOST depends on the GitHub deployment type: +// +// - github.com (public GitHub): configure_gh_for_ghe.sh either leaves GH_HOST +// unset or sets it to "github.com". gh treats "github.com" as public GitHub +// and skips the GHES version check entirely. All API traffic is still routed +// through the proxy via GITHUB_API_URL. +// +// - GHEC (*.ghe.com): configure_gh_for_ghe.sh sets GH_HOST to the tenant +// hostname (e.g. myorg.ghe.com). gh treats *.ghe.com the same as github.com +// (no GHES version check), so the same "no broken version check" property +// holds. +// +// - GHES (any other hostname): configure_gh_for_ghe.sh sets GH_HOST to the real +// GHES hostname (e.g. ghes.example.com). gh performs the GHES version check +// using GITHUB_API_URL (the proxy), which forwards GET /meta to the real GHES +// upstream. The real GHES returns installed_version, so the check passes. +// +// Using `${{ env.GH_HOST || 'github.com' }}` therefore selects the correct +// identity host for every deployment type while keeping all API traffic flowing +// through the proxy via GITHUB_API_URL / GITHUB_GRAPHQL_URL. func proxyEnvVars() map[string]string { return map[string]string{ - "GH_HOST": "localhost:18443", + // Use the GH_HOST set by configure_gh_for_ghe.sh (github.com, *.ghe.com, or + // real GHES hostname) rather than the proxy address. Setting GH_HOST to + // localhost:18443 causes the gh CLI to treat the proxy as a GHES instance and + // perform a /meta version check that always fails because the proxy does not + // return installed_version. See the function-level comment for full details. + "GH_HOST": "${{ env.GH_HOST || 'github.com' }}", "GH_REPO": "${{ github.repository }}", "GITHUB_API_URL": "https://localhost:18443/api/v3", "GITHUB_GRAPHQL_URL": "https://localhost:18443/api/graphql", @@ -299,12 +333,15 @@ func proxyEnvVars() map[string]string { // configure_gh_for_ghe.sh are preserved for steps that do not need the proxy. // // The proxy env vars injected are: -// - GH_HOST=localhost:18443 +// - GH_HOST=${{ env.GH_HOST || 'github.com' }} (correct identity host, not proxy addr) // - GH_REPO=${{ github.repository }} // - GITHUB_API_URL=https://localhost:18443/api/v3 // - GITHUB_GRAPHQL_URL=https://localhost:18443/api/graphql // - NODE_EXTRA_CA_CERTS=/tmp/gh-aw/proxy-logs/proxy-tls/ca.crt // +// GH_HOST is intentionally NOT set to the proxy address; see proxyEnvVars() for +// the full rationale. +// // If a step already has an env: block, the proxy vars are merged into it (existing // vars like GH_TOKEN are preserved). If parsing or serialization fails, the original // customSteps string is returned unchanged. diff --git a/pkg/workflow/compiler_difc_proxy_test.go b/pkg/workflow/compiler_difc_proxy_test.go index bf0682c0d8d..e20f6a2e657 100644 --- a/pkg/workflow/compiler_difc_proxy_test.go +++ b/pkg/workflow/compiler_difc_proxy_test.go @@ -456,7 +456,7 @@ Test that DIFC proxy is injected by default when min-integrity is set with custo "compiled workflow should NOT contain standalone Set GH_REPO step") // Verify proxy env vars are injected into the custom step as step-level env. - assert.Contains(t, result, "GH_HOST: localhost:18443", + assert.Contains(t, result, "GH_HOST: ${{ env.GH_HOST || 'github.com' }}", "custom step should have GH_HOST in step-level env") assert.Contains(t, result, "GH_REPO: ${{ github.repository }}", "custom step should have GH_REPO in step-level env") @@ -659,7 +659,10 @@ func TestProxyEnvVars(t *testing.T) { vars := proxyEnvVars() require.NotEmpty(t, vars, "proxyEnvVars should return a non-empty map") - assert.Equal(t, "localhost:18443", vars["GH_HOST"], "GH_HOST should be the proxy address") + // GH_HOST must use the job-level identity host (set by configure_gh_for_ghe.sh), + // NOT the proxy address. Setting it to localhost:18443 causes the gh CLI to treat + // the proxy as a GHES instance and perform a /meta version check that always fails. + assert.Equal(t, "${{ env.GH_HOST || 'github.com' }}", vars["GH_HOST"], "GH_HOST should use the identity host from configure_gh_for_ghe.sh, not the proxy address") assert.Equal(t, "${{ github.repository }}", vars["GH_REPO"], "GH_REPO should reference github.repository") assert.Equal(t, "https://localhost:18443/api/v3", vars["GITHUB_API_URL"], "GITHUB_API_URL should point to proxy") assert.Equal(t, "https://localhost:18443/api/graphql", vars["GITHUB_GRAPHQL_URL"], "GITHUB_GRAPHQL_URL should point to proxy") @@ -686,7 +689,7 @@ func TestInjectProxyEnvIntoCustomSteps(t *testing.T) { name: "step without env gets proxy env block added", customSteps: "steps:\n- name: Step with no env\n run: echo hello\n", expectedContains: []string{ - "GH_HOST: localhost:18443", + "GH_HOST: ${{ env.GH_HOST || 'github.com' }}", "GH_REPO: ${{ github.repository }}", "GITHUB_API_URL: https://localhost:18443/api/v3", "GITHUB_GRAPHQL_URL: https://localhost:18443/api/graphql", @@ -699,7 +702,7 @@ func TestInjectProxyEnvIntoCustomSteps(t *testing.T) { customSteps: "steps:\n- name: Step with env\n env:\n GH_TOKEN: ${{ github.token }}\n run: gh issue list\n", expectedContains: []string{ "GH_TOKEN: ${{ github.token }}", - "GH_HOST: localhost:18443", + "GH_HOST: ${{ env.GH_HOST || 'github.com' }}", "GH_REPO: ${{ github.repository }}", "GITHUB_API_URL: https://localhost:18443/api/v3", "GITHUB_GRAPHQL_URL: https://localhost:18443/api/graphql", @@ -714,7 +717,7 @@ func TestInjectProxyEnvIntoCustomSteps(t *testing.T) { "name: Step 1", "name: Step 2", "MY_VAR: value", - "GH_HOST: localhost:18443", + "GH_HOST: ${{ env.GH_HOST || 'github.com' }}", "GH_REPO: ${{ github.repository }}", }, desc: "all steps should have proxy env injected", @@ -724,7 +727,7 @@ func TestInjectProxyEnvIntoCustomSteps(t *testing.T) { customSteps: "steps:\n- name: Checkout\n uses: actions/checkout@v4\n with:\n token: ${{ github.token }}\n", expectedContains: []string{ "uses: actions/checkout@v4", - "GH_HOST: localhost:18443", + "GH_HOST: ${{ env.GH_HOST || 'github.com' }}", "GH_REPO: ${{ github.repository }}", }, desc: "uses: steps should also get proxy env injected", @@ -737,7 +740,7 @@ func TestInjectProxyEnvIntoCustomSteps(t *testing.T) { "cmd2", "cmd3", "GH_TOKEN: ${{ github.token }}", - "GH_HOST: localhost:18443", + "GH_HOST: ${{ env.GH_HOST || 'github.com' }}", }, desc: "multiline run content should be preserved after injection", }, @@ -758,7 +761,7 @@ func TestInjectProxyEnvIntoCustomSteps(t *testing.T) { " path: /tmp/output\n", expectedContains: []string{ "uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7", - "GH_HOST: localhost:18443", + "GH_HOST: ${{ env.GH_HOST || 'github.com' }}", "GH_REPO: ${{ github.repository }}", }, expectedAbsent: []string{ @@ -777,7 +780,7 @@ func TestInjectProxyEnvIntoCustomSteps(t *testing.T) { " run: echo hello\n", expectedContains: []string{ "name: Run script", - "GH_HOST: localhost:18443", + "GH_HOST: ${{ env.GH_HOST || 'github.com' }}", }, desc: "name field should appear before env in the output", }, @@ -795,7 +798,7 @@ func TestInjectProxyEnvIntoCustomSteps(t *testing.T) { " run: gh issue list\n", expectedContains: []string{ "GH_TOKEN: ${{ github.token }}", - "GH_HOST: localhost:18443", + "GH_HOST: ${{ env.GH_HOST || 'github.com' }}", "GITHUB_API_URL: https://localhost:18443/api/v3", "GH_REPO: ${{ github.repository }}", "GITHUB_GRAPHQL_URL: https://localhost:18443/api/graphql", From 0d8bfe6418e57c776a779a6f444502787943710c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 27 May 2026 20:24:59 +0000 Subject: [PATCH 3/4] Address code review: condense inline comment and simplify test comment Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- pkg/workflow/compiler_difc_proxy.go | 7 ++----- pkg/workflow/compiler_difc_proxy_test.go | 4 +--- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/pkg/workflow/compiler_difc_proxy.go b/pkg/workflow/compiler_difc_proxy.go index 2860910b07c..77ed48a0bca 100644 --- a/pkg/workflow/compiler_difc_proxy.go +++ b/pkg/workflow/compiler_difc_proxy.go @@ -314,11 +314,8 @@ func (c *Compiler) generateStartDIFCProxyStep(yaml *strings.Builder, data *Workf // through the proxy via GITHUB_API_URL / GITHUB_GRAPHQL_URL. func proxyEnvVars() map[string]string { return map[string]string{ - // Use the GH_HOST set by configure_gh_for_ghe.sh (github.com, *.ghe.com, or - // real GHES hostname) rather than the proxy address. Setting GH_HOST to - // localhost:18443 causes the gh CLI to treat the proxy as a GHES instance and - // perform a /meta version check that always fails because the proxy does not - // return installed_version. See the function-level comment for full details. + // Identity host from configure_gh_for_ghe.sh, not the proxy address. + // See function-level comment for full rationale. "GH_HOST": "${{ env.GH_HOST || 'github.com' }}", "GH_REPO": "${{ github.repository }}", "GITHUB_API_URL": "https://localhost:18443/api/v3", diff --git a/pkg/workflow/compiler_difc_proxy_test.go b/pkg/workflow/compiler_difc_proxy_test.go index e20f6a2e657..de31248896c 100644 --- a/pkg/workflow/compiler_difc_proxy_test.go +++ b/pkg/workflow/compiler_difc_proxy_test.go @@ -659,9 +659,7 @@ func TestProxyEnvVars(t *testing.T) { vars := proxyEnvVars() require.NotEmpty(t, vars, "proxyEnvVars should return a non-empty map") - // GH_HOST must use the job-level identity host (set by configure_gh_for_ghe.sh), - // NOT the proxy address. Setting it to localhost:18443 causes the gh CLI to treat - // the proxy as a GHES instance and perform a /meta version check that always fails. + // GH_HOST should use the identity host expression, not the proxy address. assert.Equal(t, "${{ env.GH_HOST || 'github.com' }}", vars["GH_HOST"], "GH_HOST should use the identity host from configure_gh_for_ghe.sh, not the proxy address") assert.Equal(t, "${{ github.repository }}", vars["GH_REPO"], "GH_REPO should reference github.repository") assert.Equal(t, "https://localhost:18443/api/v3", vars["GITHUB_API_URL"], "GITHUB_API_URL should point to proxy") From 2dd013798dcaafb17c4975fbe26c873d7b5f9176 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 27 May 2026 21:09:52 +0000 Subject: [PATCH 4/4] Plan CI failure investigation Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/auto-triage-issues.lock.yml | 2 +- .github/workflows/contribution-check.lock.yml | 2 +- .github/workflows/daily-issues-report.lock.yml | 12 ++++++------ .../dataflow-pr-discussion-dataset.lock.yml | 8 ++++---- .github/workflows/issue-arborist.lock.yml | 14 +++++++------- .github/workflows/stale-repo-identifier.lock.yml | 8 ++++---- 6 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 341026a79b5..04dc0dd4d61 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -437,7 +437,7 @@ jobs: > /tmp/gh-aw/agent/unlabeled-issues.json echo "Unlabeled issues: $(jq length /tmp/gh-aw/agent/unlabeled-issues.json)" env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_API_URL: https://localhost:18443/api/v3 diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index fd0fdc23200..a0892b416e9 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -474,7 +474,7 @@ jobs: echo "ℹ No CONTRIBUTING.md found in $TARGET_REPOSITORY (checked root, .github/, docs/)" fi env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_API_URL: https://localhost:18443/api/v3 diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 92d4596ca7c..2fc1973e17f 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -496,7 +496,7 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/install_gh_cli.sh" env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GITHUB_API_URL: https://localhost:18443/api/v3 GITHUB_GRAPHQL_URL: https://localhost:18443/api/graphql @@ -554,7 +554,7 @@ jobs: echo "Issues data available at: /tmp/gh-aw/agent/issues-data/issues.json" echo "Schema available at: /tmp/gh-aw/agent/issues-data/issues-schema.json" env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_API_URL: https://localhost:18443/api/v3 @@ -575,7 +575,7 @@ jobs: echo "Charts directory: /tmp/gh-aw/python/charts" echo "Artifacts directory: /tmp/gh-aw/python/artifacts" env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GITHUB_API_URL: https://localhost:18443/api/v3 GITHUB_GRAPHQL_URL: https://localhost:18443/api/graphql @@ -598,7 +598,7 @@ jobs: echo "All scientific libraries installed successfully" env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GITHUB_API_URL: https://localhost:18443/api/v3 GITHUB_GRAPHQL_URL: https://localhost:18443/api/graphql @@ -607,7 +607,7 @@ jobs: if: always() uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GITHUB_API_URL: https://localhost:18443/api/v3 GITHUB_GRAPHQL_URL: https://localhost:18443/api/graphql @@ -639,7 +639,7 @@ jobs: /tmp/gh-aw/agent/venv/bin/python3 -c "import sklearn; print(f'scikit-learn {sklearn.__version__}')" env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GITHUB_API_URL: https://localhost:18443/api/v3 GITHUB_GRAPHQL_URL: https://localhost:18443/api/graphql diff --git a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml index c09e5709445..f8da1a2425a 100644 --- a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml +++ b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml @@ -456,7 +456,7 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/install_gh_cli.sh" env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GITHUB_API_URL: https://localhost:18443/api/v3 GITHUB_GRAPHQL_URL: https://localhost:18443/api/graphql @@ -596,7 +596,7 @@ jobs: echo "Discussions data available at: /tmp/gh-aw/agent/discussions-data/discussions.json" echo "Schema available at: /tmp/gh-aw/agent/discussions-data/discussions-schema.json" env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_API_URL: https://localhost:18443/api/v3 @@ -619,7 +619,7 @@ jobs: " mkdir -p /tmp/gh-aw/agent/dataflow/{input,output,pipeline,reports} env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GITHUB_API_URL: https://localhost:18443/api/v3 GITHUB_GRAPHQL_URL: https://localhost:18443/api/graphql @@ -638,7 +638,7 @@ jobs: echo "Fetched $(jq 'length' /tmp/gh-aw/agent/dataflow/input/prs.json) merged PRs" env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_API_URL: https://localhost:18443/api/v3 diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index de1b0835eb4..1700fbec8e5 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -478,7 +478,7 @@ jobs: echo "Schema of the issues data:" cat /tmp/gh-aw/agent/issues-data/issues-schema.json | jq . env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_API_URL: https://localhost:18443/api/v3 @@ -1448,18 +1448,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.20' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_39aad0c51e2ad02f_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_05af8b52f356b01f_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["^CODEX_API_KEY$", "^HOME$", "^OPENAI_API_KEY$", "^PATH$"] - GH_AW_MCP_CONFIG_39aad0c51e2ad02f_EOF + GH_AW_MCP_CONFIG_05af8b52f356b01f_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_55e53497da0cf19c_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_8af78d249ea24079_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1470,11 +1470,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_55e53497da0cf19c_EOF + GH_AW_MCP_CONFIG_8af78d249ea24079_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_d78f8999c33b805a_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_d9487fef0a6b7f73_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1484,7 +1484,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["^CODEX_API_KEY$", "^HOME$", "^OPENAI_API_KEY$", "^PATH$"] - GH_AW_CODEX_SHELL_POLICY_d78f8999c33b805a_EOF + GH_AW_CODEX_SHELL_POLICY_d9487fef0a6b7f73_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 4d05dff2e9b..361ef1050ce 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -464,7 +464,7 @@ jobs: echo "/tmp/gh-aw/agent/venv/bin" >> "$GITHUB_PATH" /tmp/gh-aw/agent/venv/bin/pip install --quiet numpy pandas matplotlib seaborn scipy env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GITHUB_API_URL: https://localhost:18443/api/v3 GITHUB_GRAPHQL_URL: https://localhost:18443/api/graphql @@ -473,7 +473,7 @@ jobs: if: always() uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GITHUB_API_URL: https://localhost:18443/api/v3 GITHUB_GRAPHQL_URL: https://localhost:18443/api/graphql @@ -491,7 +491,7 @@ jobs: env: ADDITIONAL_METRICS: release,pr EXEMPT_TOPICS: keep,template - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_API_URL: https://localhost:18443/api/v3 @@ -506,7 +506,7 @@ jobs: echo "Stale repositories data saved" echo "Total stale repositories: $(jq 'length' /tmp/gh-aw/agent/stale-repos-data/inactive-repos.json)" env: - GH_HOST: localhost:18443 + GH_HOST: ${{ env.GH_HOST || 'github.com' }} GH_REPO: ${{ github.repository }} GITHUB_API_URL: https://localhost:18443/api/v3 GITHUB_GRAPHQL_URL: https://localhost:18443/api/graphql