From 4283c4c4db4d1e0c3a9ca613dfe0ff01eaed422b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 1 Jun 2026 11:37:42 +0000 Subject: [PATCH 1/5] feat: validate private workflows in aw manifests Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/cli/add_package_manifest.go | 33 ++++++++++ pkg/cli/add_package_manifest_test.go | 67 ++++++++++++++++++++ pkg/cli/compile_repository_manifest.go | 68 ++++++++++++++++++++- pkg/cli/compile_repository_manifest_test.go | 30 +++++++++ pkg/cli/packages.go | 20 ++++-- 5 files changed, 212 insertions(+), 6 deletions(-) diff --git a/pkg/cli/add_package_manifest.go b/pkg/cli/add_package_manifest.go index 1ff46631dfb..03a967bcbca 100644 --- a/pkg/cli/add_package_manifest.go +++ b/pkg/cli/add_package_manifest.go @@ -111,6 +111,15 @@ func resolveRepositoryPackage(repoSpec *RepoSpec, host string) (*resolvedReposit if err := validateUniqueManifestWorkflowFilenames(installationSources, manifestPath); err != nil { return nil, err } + if err := validateManifestInstallableWorkflowPrivacy(manifestPath, installationSources, func(sourcePath string) ([]byte, error) { + content, err := downloadPackageFileFromGitHubForHost(owner, repo, sourcePath, ref, host) + if err != nil { + return nil, fmt.Errorf("failed to read workflow %q from %s/%s@%s: %w", sourcePath, owner, repo, ref, err) + } + return content, nil + }); err != nil { + return nil, err + } docsPath, err := resolveRepositoryPackageDocsPath(owner, repo, packagePath, ref, host) if err != nil { @@ -705,6 +714,30 @@ func normalizePackageInstallablePaths(paths []string, packagePath string) []stri return normalized } +func validateManifestInstallableWorkflowPrivacy(manifestPath string, installationSources []string, readWorkflow func(string) ([]byte, error)) error { + for _, installationSource := range installationSources { + if isActionWorkflowPath(installationSource) { + continue + } + + content, err := readWorkflow(installationSource) + if err != nil { + return fmt.Errorf("invalid Agentic Workflow manifest %q: %w", manifestPath, err) + } + + privateValue, hasPrivate := ExtractWorkflowPrivateSetting(string(content)) + if !hasPrivate { + continue + } + if privateValue { + return fmt.Errorf("invalid Agentic Workflow manifest %q: workflow %q sets private: true and cannot be included because private workflows cannot be added", manifestPath, installationSource) + } + return fmt.Errorf("invalid Agentic Workflow manifest %q: workflow %q sets private: false; remove the private field because manifest-listed workflows must not declare it", manifestPath, installationSource) + } + + return nil +} + func isSupportedPackageInstallablePath(p string) bool { // Normalize separators to forward slashes (consistent with joinRepositoryPackagePath) then // clean to reject path traversal (e.g. "workflows/../README.md" → "README.md"). diff --git a/pkg/cli/add_package_manifest_test.go b/pkg/cli/add_package_manifest_test.go index 5163712dec6..dca57b3e33f 100644 --- a/pkg/cli/add_package_manifest_test.go +++ b/pkg/cli/add_package_manifest_test.go @@ -178,6 +178,29 @@ files: assert.Equal(t, []string{"workflows/review.md", ".github/workflows/nightly-review.md"}, pkg.InstallationSource) }) + t.Run("rejects manifest workflow with private false", func(t *testing.T) { + downloadPackageFileFromGitHubForHost = func(owner, repo, path, ref, host string) ([]byte, error) { + switch path { + case "aw.yml": + return []byte("name: Repo Assist\nfiles:\n - workflows/review.md\n"), nil + case "README.md": + return []byte("# Repo Assist\n"), nil + case "workflows/review.md": + return []byte("---\nprivate: false\n---\n\n# Review\n"), nil + default: + return nil, createRepositoryPackageNotFoundError(path) + } + } + listPackageWorkflowFilesForHost = func(owner, repo, ref, workflowPath, host string) ([]string, error) { + t.Fatalf("unexpected scan of %s", workflowPath) + return nil, nil + } + + _, err := resolveRepositoryPackage(&RepoSpec{RepoSlug: "owner/repo"}, "") + require.Error(t, err) + assert.Contains(t, err.Error(), `workflow "workflows/review.md" sets private: false`) + }) + t.Run("passes explicit host to scanning fallback", func(t *testing.T) { downloadPackageFileFromGitHubForHost = func(owner, repo, path, ref, host string) ([]byte, error) { switch path { @@ -433,6 +456,50 @@ func TestResolveWorkflows_RepositoryPackage(t *testing.T) { getRepositoryPackageDefaultBranch = func(repoSlug, host string) (string, error) { return "main", nil } + + func TestResolveWorkflows_RepositoryPackageRejectsPrivateFalse(t *testing.T) { + originalDownload := downloadPackageFileFromGitHubForHost + originalList := listPackageWorkflowFilesForHost + originalDirFiles := listPackageDirFilesForHost + originalDirSubdirs := listPackageDirSubdirsForHost + originalDefaultBranch := getRepositoryPackageDefaultBranch + t.Cleanup(func() { + downloadPackageFileFromGitHubForHost = originalDownload + listPackageWorkflowFilesForHost = originalList + listPackageDirFilesForHost = originalDirFiles + listPackageDirSubdirsForHost = originalDirSubdirs + getRepositoryPackageDefaultBranch = originalDefaultBranch + }) + getRepositoryPackageDefaultBranch = func(repoSlug, host string) (string, error) { + return "main", nil + } + listPackageDirFilesForHost = func(owner, repo, ref, dirPath, host string) ([]string, error) { + return nil, createRepositoryPackageNotFoundError(dirPath) + } + listPackageDirSubdirsForHost = func(owner, repo, ref, dirPath, host string) ([]string, error) { + return nil, createRepositoryPackageNotFoundError(dirPath) + } + downloadPackageFileFromGitHubForHost = func(owner, repo, path, ref, host string) ([]byte, error) { + switch path { + case "aw.yml": + return []byte("name: Repo Assist\nfiles:\n - workflows/review.md\n"), nil + case "README.md": + return []byte("# Repo Assist\n"), nil + case "workflows/review.md": + return []byte("---\nprivate: false\n---\n\n# Review\n"), nil + default: + return nil, createRepositoryPackageNotFoundError(path) + } + } + listPackageWorkflowFilesForHost = func(owner, repo, ref, workflowPath, host string) ([]string, error) { + t.Fatalf("unexpected scan of %s", workflowPath) + return nil, nil + } + + _, err := ResolveWorkflows(context.Background(), []string{"owner/repo"}, false) + require.Error(t, err) + assert.Contains(t, err.Error(), `workflow "workflows/review.md" sets private: false`) + } listPackageDirFilesForHost = func(owner, repo, ref, dirPath, host string) ([]string, error) { return nil, createRepositoryPackageNotFoundError(dirPath) } diff --git a/pkg/cli/compile_repository_manifest.go b/pkg/cli/compile_repository_manifest.go index 3e49d7370f2..de14b272b8d 100644 --- a/pkg/cli/compile_repository_manifest.go +++ b/pkg/cli/compile_repository_manifest.go @@ -3,6 +3,7 @@ package cli import ( "errors" "fmt" + "io/fs" "os" "path/filepath" @@ -102,10 +103,75 @@ func findLocalRepositoryPackageManifest(gitRoot string) (string, error) { func validateLocalRepositoryPackageContents(manifestPath string) error { readmePath := filepath.Join(filepath.Dir(manifestPath), "README.md") if _, err := os.Stat(readmePath); err == nil { - return nil + manifestContent, err := os.ReadFile(manifestPath) + if err != nil { + return fmt.Errorf("failed to read Agentic Workflow manifest %q: %w", manifestPath, err) + } + manifest, _, err := parseRepositoryPackageManifest(manifestPath, manifestContent) + if err != nil { + return err + } + + includeInstallablePaths, _, _ := splitManifestIncludePaths(manifest.Includes) + includeInstallablePaths = append(includeInstallablePaths, manifest.Files...) + installationSources := normalizePackageInstallablePaths(includeInstallablePaths, "") + if len(installationSources) == 0 { + installationSources, err = scanLocalRepositoryPackageInstallablePaths(filepath.Dir(manifestPath)) + if err != nil { + return err + } + } + + return validateManifestInstallableWorkflowPrivacy(manifestPath, installationSources, func(sourcePath string) ([]byte, error) { + content, err := os.ReadFile(filepath.Join(filepath.Dir(manifestPath), filepath.FromSlash(sourcePath))) + if err != nil { + return nil, fmt.Errorf("failed to read workflow %q: %w", sourcePath, err) + } + return content, nil + }) } else if os.IsNotExist(err) { return fmt.Errorf("invalid Agentic Workflow manifest %q: missing required README.md", manifestPath) } else { return fmt.Errorf("failed to read package README %q: %w", readmePath, err) } } + +func scanLocalRepositoryPackageInstallablePaths(packageDir string) ([]string, error) { + var collected []string + seen := make(map[string]struct{}) + + for _, sourceDir := range packageSourceDirectories { + sourcePath := filepath.Join(packageDir, filepath.FromSlash(sourceDir)) + err := filepath.WalkDir(sourcePath, func(currentPath string, d fs.DirEntry, walkErr error) error { + if walkErr != nil { + return walkErr + } + if d.IsDir() { + return nil + } + + relativePath, err := filepath.Rel(packageDir, currentPath) + if err != nil { + return err + } + relativePath = filepath.ToSlash(relativePath) + if !isSupportedPackageInstallablePath(relativePath) { + return nil + } + if _, exists := seen[relativePath]; exists { + return nil + } + seen[relativePath] = struct{}{} + collected = append(collected, relativePath) + return nil + }) + if err != nil { + if os.IsNotExist(err) { + continue + } + return nil, fmt.Errorf("failed to scan %q: %w", sourcePath, err) + } + } + + return collected, nil +} diff --git a/pkg/cli/compile_repository_manifest_test.go b/pkg/cli/compile_repository_manifest_test.go index 28cf43c8737..624245fae73 100644 --- a/pkg/cli/compile_repository_manifest_test.go +++ b/pkg/cli/compile_repository_manifest_test.go @@ -180,6 +180,36 @@ name: Repo Assist assert.Contains(t, err.Error(), "missing required README.md") } +func TestCompileWorkflows_RejectsManifestWorkflowWithPrivateFalse(t *testing.T) { + tmpDir := testutil.TempDir(t, "aw-manifest-private-false-*") + originalWd, err := os.Getwd() + require.NoError(t, err) + t.Cleanup(func() { _ = os.Chdir(originalWd) }) + require.NoError(t, os.Chdir(tmpDir)) + + cmd := exec.Command("git", "init") + cmd.Dir = tmpDir + require.NoError(t, cmd.Run()) + + require.NoError(t, os.MkdirAll(filepath.Join(tmpDir, "workflows"), 0o755)) + require.NoError(t, os.WriteFile(filepath.Join(tmpDir, "workflows", "review.md"), []byte(`--- +private: false +--- + +# Review +`), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(tmpDir, "README.md"), []byte("# Repo Assist\n"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(tmpDir, "aw.yml"), []byte(`manifest-version: "1" +name: Repo Assist +files: + - workflows/review.md +`), 0o644)) + + _, err = CompileWorkflows(context.Background(), CompileConfig{}) + require.Error(t, err) + assert.Contains(t, err.Error(), `workflow "workflows/review.md" sets private: false`) +} + func TestValidateRepositoryManifestForCompilation_PropagatesGitRootErrors(t *testing.T) { originalFindGitRoot := findGitRootForManifestValidation t.Cleanup(func() { diff --git a/pkg/cli/packages.go b/pkg/cli/packages.go index 7375870845c..6963d87c8b3 100644 --- a/pkg/cli/packages.go +++ b/pkg/cli/packages.go @@ -230,20 +230,30 @@ func ExtractWorkflowEngine(content string) string { return "" } -// ExtractWorkflowPrivate extracts the private field from workflow content string. -// Returns true if the workflow has private: true in its frontmatter. -func ExtractWorkflowPrivate(content string) bool { +// ExtractWorkflowPrivateSetting extracts the private field from workflow content string. +// Returns the boolean value and whether the field was explicitly present. +func ExtractWorkflowPrivateSetting(content string) (bool, bool) { result, err := parser.ExtractFrontmatterFromContent(content) if err != nil { - return false + return false, false } if private, ok := result.Frontmatter["private"]; ok { if privateBool, ok := private.(bool); ok { - return privateBool + return privateBool, true } } + return false, false +} + +// ExtractWorkflowPrivate extracts the private field from workflow content string. +// Returns true if the workflow has private: true in its frontmatter. +func ExtractWorkflowPrivate(content string) bool { + privateBool, ok := ExtractWorkflowPrivateSetting(content) + if ok { + return privateBool + } return false } From c25f30d9203563ab656ce94a069bcfb7462092e7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 1 Jun 2026 11:40:52 +0000 Subject: [PATCH 2/5] test: cover manifest private workflow rejection Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/cli/add_package_manifest.go | 9 -- pkg/cli/add_package_manifest_test.go | 121 ++++++++++++--------------- pkg/cli/add_workflow_resolution.go | 11 +++ 3 files changed, 65 insertions(+), 76 deletions(-) diff --git a/pkg/cli/add_package_manifest.go b/pkg/cli/add_package_manifest.go index 03a967bcbca..e81233be5ea 100644 --- a/pkg/cli/add_package_manifest.go +++ b/pkg/cli/add_package_manifest.go @@ -111,15 +111,6 @@ func resolveRepositoryPackage(repoSpec *RepoSpec, host string) (*resolvedReposit if err := validateUniqueManifestWorkflowFilenames(installationSources, manifestPath); err != nil { return nil, err } - if err := validateManifestInstallableWorkflowPrivacy(manifestPath, installationSources, func(sourcePath string) ([]byte, error) { - content, err := downloadPackageFileFromGitHubForHost(owner, repo, sourcePath, ref, host) - if err != nil { - return nil, fmt.Errorf("failed to read workflow %q from %s/%s@%s: %w", sourcePath, owner, repo, ref, err) - } - return content, nil - }); err != nil { - return nil, err - } docsPath, err := resolveRepositoryPackageDocsPath(owner, repo, packagePath, ref, host) if err != nil { diff --git a/pkg/cli/add_package_manifest_test.go b/pkg/cli/add_package_manifest_test.go index dca57b3e33f..a8099cc968b 100644 --- a/pkg/cli/add_package_manifest_test.go +++ b/pkg/cli/add_package_manifest_test.go @@ -178,29 +178,6 @@ files: assert.Equal(t, []string{"workflows/review.md", ".github/workflows/nightly-review.md"}, pkg.InstallationSource) }) - t.Run("rejects manifest workflow with private false", func(t *testing.T) { - downloadPackageFileFromGitHubForHost = func(owner, repo, path, ref, host string) ([]byte, error) { - switch path { - case "aw.yml": - return []byte("name: Repo Assist\nfiles:\n - workflows/review.md\n"), nil - case "README.md": - return []byte("# Repo Assist\n"), nil - case "workflows/review.md": - return []byte("---\nprivate: false\n---\n\n# Review\n"), nil - default: - return nil, createRepositoryPackageNotFoundError(path) - } - } - listPackageWorkflowFilesForHost = func(owner, repo, ref, workflowPath, host string) ([]string, error) { - t.Fatalf("unexpected scan of %s", workflowPath) - return nil, nil - } - - _, err := resolveRepositoryPackage(&RepoSpec{RepoSlug: "owner/repo"}, "") - require.Error(t, err) - assert.Contains(t, err.Error(), `workflow "workflows/review.md" sets private: false`) - }) - t.Run("passes explicit host to scanning fallback", func(t *testing.T) { downloadPackageFileFromGitHubForHost = func(owner, repo, path, ref, host string) ([]byte, error) { switch path { @@ -456,50 +433,6 @@ func TestResolveWorkflows_RepositoryPackage(t *testing.T) { getRepositoryPackageDefaultBranch = func(repoSlug, host string) (string, error) { return "main", nil } - - func TestResolveWorkflows_RepositoryPackageRejectsPrivateFalse(t *testing.T) { - originalDownload := downloadPackageFileFromGitHubForHost - originalList := listPackageWorkflowFilesForHost - originalDirFiles := listPackageDirFilesForHost - originalDirSubdirs := listPackageDirSubdirsForHost - originalDefaultBranch := getRepositoryPackageDefaultBranch - t.Cleanup(func() { - downloadPackageFileFromGitHubForHost = originalDownload - listPackageWorkflowFilesForHost = originalList - listPackageDirFilesForHost = originalDirFiles - listPackageDirSubdirsForHost = originalDirSubdirs - getRepositoryPackageDefaultBranch = originalDefaultBranch - }) - getRepositoryPackageDefaultBranch = func(repoSlug, host string) (string, error) { - return "main", nil - } - listPackageDirFilesForHost = func(owner, repo, ref, dirPath, host string) ([]string, error) { - return nil, createRepositoryPackageNotFoundError(dirPath) - } - listPackageDirSubdirsForHost = func(owner, repo, ref, dirPath, host string) ([]string, error) { - return nil, createRepositoryPackageNotFoundError(dirPath) - } - downloadPackageFileFromGitHubForHost = func(owner, repo, path, ref, host string) ([]byte, error) { - switch path { - case "aw.yml": - return []byte("name: Repo Assist\nfiles:\n - workflows/review.md\n"), nil - case "README.md": - return []byte("# Repo Assist\n"), nil - case "workflows/review.md": - return []byte("---\nprivate: false\n---\n\n# Review\n"), nil - default: - return nil, createRepositoryPackageNotFoundError(path) - } - } - listPackageWorkflowFilesForHost = func(owner, repo, ref, workflowPath, host string) ([]string, error) { - t.Fatalf("unexpected scan of %s", workflowPath) - return nil, nil - } - - _, err := ResolveWorkflows(context.Background(), []string{"owner/repo"}, false) - require.Error(t, err) - assert.Contains(t, err.Error(), `workflow "workflows/review.md" sets private: false`) - } listPackageDirFilesForHost = func(owner, repo, ref, dirPath, host string) ([]string, error) { return nil, createRepositoryPackageNotFoundError(dirPath) } @@ -540,6 +473,60 @@ files: assert.Equal(t, ".github/workflows/nightly-review.md", resolved.Workflows[1].Spec.WorkflowPath) } +func TestResolveWorkflows_RepositoryPackageRejectsPrivateFalse(t *testing.T) { + originalFetchFn := fetchWorkflowFromSourceWithContextFn + originalDownload := downloadPackageFileFromGitHubForHost + originalList := listPackageWorkflowFilesForHost + originalDirFiles := listPackageDirFilesForHost + originalDirSubdirs := listPackageDirSubdirsForHost + originalDefaultBranch := getRepositoryPackageDefaultBranch + t.Cleanup(func() { + fetchWorkflowFromSourceWithContextFn = originalFetchFn + downloadPackageFileFromGitHubForHost = originalDownload + listPackageWorkflowFilesForHost = originalList + listPackageDirFilesForHost = originalDirFiles + listPackageDirSubdirsForHost = originalDirSubdirs + getRepositoryPackageDefaultBranch = originalDefaultBranch + }) + getRepositoryPackageDefaultBranch = func(repoSlug, host string) (string, error) { + return "main", nil + } + listPackageDirFilesForHost = func(owner, repo, ref, dirPath, host string) ([]string, error) { + return nil, createRepositoryPackageNotFoundError(dirPath) + } + listPackageDirSubdirsForHost = func(owner, repo, ref, dirPath, host string) ([]string, error) { + return nil, createRepositoryPackageNotFoundError(dirPath) + } + downloadPackageFileFromGitHubForHost = func(owner, repo, path, ref, host string) ([]byte, error) { + switch path { + case "aw.yml": + return []byte("name: Repo Assist\nfiles:\n - workflows/review.md\n"), nil + case "README.md": + return []byte("# Repo Assist\n"), nil + case "workflows/review.md": + return []byte("---\nprivate: false\n---\n\n# Review\n"), nil + default: + return nil, createRepositoryPackageNotFoundError(path) + } + } + listPackageWorkflowFilesForHost = func(owner, repo, ref, workflowPath, host string) ([]string, error) { + t.Fatalf("unexpected scan of %s", workflowPath) + return nil, nil + } + fetchWorkflowFromSourceWithContextFn = func(_ context.Context, spec *WorkflowSpec, _ bool) (*FetchedWorkflow, error) { + return &FetchedWorkflow{ + Content: []byte("---\nprivate: false\n---\n\n# Review\n"), + CommitSHA: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + IsLocal: false, + SourcePath: spec.WorkflowPath, + }, nil + } + + _, err := ResolveWorkflows(context.Background(), []string{"owner/repo"}, false) + require.Error(t, err) + assert.Contains(t, err.Error(), `workflow "workflows/review.md" sets private: false`) +} + func TestResolveWorkflows_NestedRepositoryPackage(t *testing.T) { originalFetchFn := fetchWorkflowFromSourceWithContextFn originalDownload := downloadPackageFileFromGitHubForHost diff --git a/pkg/cli/add_workflow_resolution.go b/pkg/cli/add_workflow_resolution.go index d8781a84bc7..bebcd640721 100644 --- a/pkg/cli/add_workflow_resolution.go +++ b/pkg/cli/add_workflow_resolution.go @@ -214,6 +214,17 @@ func ResolveWorkflows(ctx context.Context, workflows []string, verbose bool) (*R // Extract engine from content (if specified in frontmatter) engine := ExtractWorkflowEngine(string(fetched.Content)) + if spec.FromRepositoryManifest { + privateValue, hasPrivate := ExtractWorkflowPrivateSetting(string(fetched.Content)) + if hasPrivate { + manifestPath := joinRepositoryPackagePath(spec.PackagePath, repositoryPackageManifestFileName) + if privateValue { + return nil, fmt.Errorf("invalid Agentic Workflow manifest %q: workflow %q sets private: true and cannot be included because private workflows cannot be added", manifestPath, resolvedSpec.WorkflowPath) + } + return nil, fmt.Errorf("invalid Agentic Workflow manifest %q: workflow %q sets private: false; remove the private field because manifest-listed workflows must not declare it", manifestPath, resolvedSpec.WorkflowPath) + } + } + // Check if workflow is private - private workflows cannot be added to other repositories isPrivate := ExtractWorkflowPrivate(string(fetched.Content)) if isPrivate { From c7f6c4007e03b9cbac0f4d99a8947c8836ce2c29 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 1 Jun 2026 11:57:54 +0000 Subject: [PATCH 3/5] docs: add draft ADR for manifest private-field rejection Co-Authored-By: Claude Opus 4.8 (1M context) --- ...ect-private-field-in-manifest-workflows.md | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 docs/adr/36227-reject-private-field-in-manifest-workflows.md diff --git a/docs/adr/36227-reject-private-field-in-manifest-workflows.md b/docs/adr/36227-reject-private-field-in-manifest-workflows.md new file mode 100644 index 00000000000..f3a49ff205a --- /dev/null +++ b/docs/adr/36227-reject-private-field-in-manifest-workflows.md @@ -0,0 +1,38 @@ +# ADR-36227: Reject the `private` Field in Manifest-Listed Installable Workflows + +**Date**: 2026-06-01 +**Status**: Draft + +## Context + +`aw.yml` package manifests can list installable workflows that other repositories add via `gh aw add` / `gh aw add-wizard`. The `private` frontmatter field was designed to block a standalone workflow from being installed elsewhere (`private: true`), but the manifest resolution path only consulted `ExtractWorkflowPrivate`, which returned `false` for both an absent field and an explicit `private: false`. As a result, a manifest could list a workflow declaring `private: false`, and that declaration would silently pass — leaking an installation-control field into package manifests where it has no coherent meaning. A workflow that is listed in a manifest is, by definition, meant to be installed, so any `private` declaration on it (true *or* false) is contradictory and should be surfaced rather than ignored. + +## Decision + +We will treat the presence of a `private` field on a manifest-listed installable workflow as a manifest validation error, distinguishing presence from value. We split `ExtractWorkflowPrivate(content) bool` into a presence-aware `ExtractWorkflowPrivateSetting(content) (value, present bool)`, keeping `ExtractWorkflowPrivate` as a thin wrapper for the existing standalone-add behavior. Both manifest-backed resolution (`ResolveWorkflows` for `FromRepositoryManifest` specs) and compile-time local manifest validation (`validateLocalRepositoryPackageContents`) now reject any listed workflow that declares `private`, emitting manifest-scoped errors that name the offending workflow path: `private: true` reports that private workflows cannot be added, and `private: false` instructs the author to remove the field. + +## Alternatives Considered + +### Alternative 1: Keep value-only extraction and reject only `private: true` +Continue using the boolean-only `ExtractWorkflowPrivate` and reject manifest workflows only when it returns `true`. This was rejected because it cannot distinguish an absent field from `private: false`, so the originally-reported leak (`private: false` slipping into a manifest) would remain silently accepted, and authors would get no signal that the field is meaningless in a manifest context. + +### Alternative 2: Strip or normalize the `private` field during manifest install instead of erroring +Silently drop the `private` field when resolving manifest workflows so installation proceeds regardless. This was rejected because silent normalization hides author intent and conflicts with the project's fail-loud manifest-validation posture; an explicit, path-scoped error is more debuggable and prevents shipping manifests that encode contradictory intent. + +## Consequences + +### Positive +- Closes the leak where `private: false` in a manifest-listed workflow was silently accepted; the field is now rejected at both add time and compile time. +- Error messages are presence- and value-aware and name the offending workflow path, making the fix obvious to manifest authors. + +### Negative +- Existing published manifests that list workflows carrying any `private` declaration will now fail to add/compile until the field is removed — a breaking change for those packages. +- Introduces a second extraction function (`ExtractWorkflowPrivateSetting` alongside `ExtractWorkflowPrivate`) and parallel rejection logic in both the resolution and compile-time paths that must stay in sync. + +### Neutral +- Standalone (non-manifest) workflow adds are unchanged: `private: true` still blocks installation via the preserved `ExtractWorkflowPrivate` path. +- Compile-time validation now scans manifest-listed installable paths (explicit `files:`/`includes:` entries, or discovered package directories) to apply the rule uniformly. + +--- + +*This is a DRAFT ADR generated by the [Design Decision Gate](https://github.com/github/gh-aw/actions/runs/26752819392) workflow. The PR author must review, complete, and finalize this document before the PR can merge.* From 31304fdc92b6f8212ec94642c8beb29174b536cd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 1 Jun 2026 12:11:59 +0000 Subject: [PATCH 4/5] Apply remaining changes Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ab-testing-advisor.lock.yml | 3 +-- .github/workflows/ace-editor.lock.yml | 3 +-- .../workflows/agent-performance-analyzer.lock.yml | 3 +-- .github/workflows/agent-persona-explorer.lock.yml | 3 +-- .github/workflows/agentic-token-audit.lock.yml | 3 +-- .../workflows/agentic-token-optimizer.lock.yml | 3 +-- .github/workflows/ai-moderator.lock.yml | 3 +-- .github/workflows/api-consumption-report.lock.yml | 3 +-- .github/workflows/approach-validator.lock.yml | 3 +-- .github/workflows/archie.lock.yml | 3 +-- .github/workflows/architecture-guardian.lock.yml | 3 +-- .github/workflows/artifacts-summary.lock.yml | 3 +-- .github/workflows/audit-workflows.lock.yml | 3 +-- .github/workflows/auto-triage-issues.lock.yml | 3 +-- .github/workflows/avenger.lock.yml | 3 +-- .../workflows/aw-failure-investigator.lock.yml | 3 +-- .github/workflows/blog-auditor.lock.yml | 3 +-- .github/workflows/bot-detection.lock.yml | 3 +-- .github/workflows/brave.lock.yml | 3 +-- .../workflows/breaking-change-checker.lock.yml | 3 +-- .github/workflows/changeset.lock.yml | 3 +-- .github/workflows/chaos-pr-bundle-fuzzer.lock.yml | 3 +-- .github/workflows/ci-coach.lock.yml | 3 +-- .github/workflows/ci-doctor.lock.yml | 3 +-- .../claude-code-user-docs-review.lock.yml | 3 +-- .../workflows/cli-consistency-checker.lock.yml | 3 +-- .github/workflows/cli-version-checker.lock.yml | 3 +-- .github/workflows/cloclo.lock.yml | 3 +-- .github/workflows/code-scanning-fixer.lock.yml | 3 +-- .github/workflows/code-simplifier.lock.yml | 3 +-- .../codex-github-remote-mcp-test.lock.yml | 3 +-- .../workflows/commit-changes-analyzer.lock.yml | 3 +-- .../workflows/constraint-solving-potd.lock.yml | 3 +-- .github/workflows/contribution-check.lock.yml | 3 +-- .github/workflows/copilot-agent-analysis.lock.yml | 3 +-- .../workflows/copilot-cli-deep-research.lock.yml | 3 +-- .github/workflows/copilot-opt.lock.yml | 3 +-- .../workflows/copilot-pr-merged-report.lock.yml | 3 +-- .../workflows/copilot-pr-nlp-analysis.lock.yml | 3 +-- .../workflows/copilot-pr-prompt-analysis.lock.yml | 3 +-- .../workflows/copilot-session-insights.lock.yml | 3 +-- .github/workflows/craft.lock.yml | 3 +-- .../daily-agent-of-the-day-blog-writer.lock.yml | 3 +-- .../daily-agentrx-trace-optimizer.lock.yml | 3 +-- .../workflows/daily-architecture-diagram.lock.yml | 3 +-- .../workflows/daily-assign-issue-to-user.lock.yml | 3 +-- ...ly-astrostylelite-markdown-spellcheck.lock.yml | 3 +-- .../daily-aw-cross-repo-compile-check.lock.yml | 3 +-- .github/workflows/daily-byok-ollama-test.lock.yml | 3 +-- .../daily-cache-strategy-analyzer.lock.yml | 15 +++++++-------- .../workflows/daily-caveman-optimizer.lock.yml | 3 +-- .github/workflows/daily-choice-test.lock.yml | 3 +-- .github/workflows/daily-cli-performance.lock.yml | 3 +-- .github/workflows/daily-cli-tools-tester.lock.yml | 3 +-- .github/workflows/daily-code-metrics.lock.yml | 3 +-- .../daily-community-attribution.lock.yml | 3 +-- .github/workflows/daily-compiler-quality.lock.yml | 3 +-- .../daily-compiler-threat-spec-optimizer.lock.yml | 3 +-- .github/workflows/daily-doc-healer.lock.yml | 3 +-- .github/workflows/daily-doc-updater.lock.yml | 3 +-- .../workflows/daily-experiment-report.lock.yml | 3 +-- .github/workflows/daily-fact.lock.yml | 15 +++++++-------- .github/workflows/daily-file-diet.lock.yml | 3 +-- .github/workflows/daily-firewall-report.lock.yml | 3 +-- .github/workflows/daily-function-namer.lock.yml | 3 +-- .github/workflows/daily-geo-optimizer.lock.yml | 3 +-- ...-grafana-otel-instrumentation-advisor.lock.yml | 3 +-- .github/workflows/daily-hippo-learn.lock.yml | 3 +-- .github/workflows/daily-issues-report.lock.yml | 3 +-- .../workflows/daily-malicious-code-scan.lock.yml | 3 +-- .../daily-mcp-concurrency-analysis.lock.yml | 3 +-- 71 files changed, 83 insertions(+), 154 deletions(-) diff --git a/.github/workflows/ab-testing-advisor.lock.yml b/.github/workflows/ab-testing-advisor.lock.yml index 964b120bb39..3dd67579fdf 100644 --- a/.github/workflows/ab-testing-advisor.lock.yml +++ b/.github/workflows/ab-testing-advisor.lock.yml @@ -124,7 +124,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily A/B Testing Advisor" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/ab-testing-advisor.lock.yml@${{ github.ref }} @@ -161,7 +161,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily A/B Testing Advisor" diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index 2b5007c6ac7..d4deeed0412 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -123,7 +123,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "ACE Editor Session" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/ace-editor.lock.yml@${{ github.ref }} @@ -160,7 +160,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "ACE Editor Session" diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index a424c619ff9..2978024d9ac 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -122,7 +122,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Agent Performance Analyzer - Meta-Orchestrator" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/agent-performance-analyzer.lock.yml@${{ github.ref }} @@ -159,7 +159,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Agent Performance Analyzer - Meta-Orchestrator" diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 82c9e68b991..be0399199ca 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -124,7 +124,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Agent Persona Explorer" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/agent-persona-explorer.lock.yml@${{ github.ref }} @@ -161,7 +161,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Agent Persona Explorer" diff --git a/.github/workflows/agentic-token-audit.lock.yml b/.github/workflows/agentic-token-audit.lock.yml index 92ddada6dac..b10cb0b03e5 100644 --- a/.github/workflows/agentic-token-audit.lock.yml +++ b/.github/workflows/agentic-token-audit.lock.yml @@ -111,7 +111,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Agentic Workflow Token Usage Audit" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/agentic-token-audit.lock.yml@${{ github.ref }} @@ -148,7 +148,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Agentic Workflow Token Usage Audit" diff --git a/.github/workflows/agentic-token-optimizer.lock.yml b/.github/workflows/agentic-token-optimizer.lock.yml index 8694c57e44c..7788d0363c6 100644 --- a/.github/workflows/agentic-token-optimizer.lock.yml +++ b/.github/workflows/agentic-token-optimizer.lock.yml @@ -102,7 +102,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Agentic Workflow Token Usage Optimizer" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/agentic-token-optimizer.lock.yml@${{ github.ref }} @@ -139,7 +139,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Agentic Workflow Token Usage Optimizer" diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 488d6618f9d..12e2414cf39 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -154,7 +154,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "AI Moderator" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/ai-moderator.lock.yml@${{ github.ref }} @@ -191,7 +191,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "AI Moderator" diff --git a/.github/workflows/api-consumption-report.lock.yml b/.github/workflows/api-consumption-report.lock.yml index 2750df2f9ba..e09fc1d6726 100644 --- a/.github/workflows/api-consumption-report.lock.yml +++ b/.github/workflows/api-consumption-report.lock.yml @@ -129,7 +129,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "GitHub API Consumption Report Agent" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/api-consumption-report.lock.yml@${{ github.ref }} @@ -166,7 +166,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "GitHub API Consumption Report Agent" diff --git a/.github/workflows/approach-validator.lock.yml b/.github/workflows/approach-validator.lock.yml index 3ce12aafc10..6b98de78a07 100644 --- a/.github/workflows/approach-validator.lock.yml +++ b/.github/workflows/approach-validator.lock.yml @@ -133,7 +133,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Approach Validator" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/approach-validator.lock.yml@${{ github.ref }} @@ -170,7 +170,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Approach Validator" diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 152f7607791..9652787e4d8 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -126,7 +126,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Archie" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/archie.lock.yml@${{ github.ref }} @@ -163,7 +163,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Archie" diff --git a/.github/workflows/architecture-guardian.lock.yml b/.github/workflows/architecture-guardian.lock.yml index 7429df92520..1a481a314f7 100644 --- a/.github/workflows/architecture-guardian.lock.yml +++ b/.github/workflows/architecture-guardian.lock.yml @@ -124,7 +124,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Architecture Guardian" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/architecture-guardian.lock.yml@${{ github.ref }} @@ -161,7 +161,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Architecture Guardian" diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 19727bacdc8..4fa452d4918 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -117,7 +117,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Artifacts Summary" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/artifacts-summary.lock.yml@${{ github.ref }} @@ -154,7 +154,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Artifacts Summary" diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 6b367a3f25b..abe531eaf6d 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -129,7 +129,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Agentic Workflow Audit Agent" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/audit-workflows.lock.yml@${{ github.ref }} @@ -166,7 +166,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Agentic Workflow Audit Agent" diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 94eb1c2eed7..c97893f9966 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -127,7 +127,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Auto-Triage Issues" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/auto-triage-issues.lock.yml@${{ github.ref }} @@ -164,7 +164,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Auto-Triage Issues" diff --git a/.github/workflows/avenger.lock.yml b/.github/workflows/avenger.lock.yml index c8d00a5ecbf..90635526806 100644 --- a/.github/workflows/avenger.lock.yml +++ b/.github/workflows/avenger.lock.yml @@ -121,7 +121,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Avenger" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/avenger.lock.yml@${{ github.ref }} @@ -158,7 +158,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Avenger" diff --git a/.github/workflows/aw-failure-investigator.lock.yml b/.github/workflows/aw-failure-investigator.lock.yml index 5de96d8a3ea..413b587060a 100644 --- a/.github/workflows/aw-failure-investigator.lock.yml +++ b/.github/workflows/aw-failure-investigator.lock.yml @@ -127,7 +127,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "[aw] Failure Investigator (6h)" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/aw-failure-investigator.lock.yml@${{ github.ref }} @@ -164,7 +164,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "[aw] Failure Investigator (6h)" diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index cfe7d6d34d4..4b99a3fa336 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -121,7 +121,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Blog Auditor" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/blog-auditor.lock.yml@${{ github.ref }} @@ -158,7 +158,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Blog Auditor" diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index cf2194a9e90..fdeb9789286 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -117,7 +117,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Bot Detection" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/bot-detection.lock.yml@${{ github.ref }} @@ -154,7 +154,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Bot Detection" diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 22ac911be27..0b8bd91d3c0 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -125,7 +125,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Brave Web Search Agent" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/brave.lock.yml@${{ github.ref }} @@ -162,7 +162,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Brave Web Search Agent" diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 857fa1a919c..a233e76cbd3 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -124,7 +124,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Breaking Change Checker" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/breaking-change-checker.lock.yml@${{ github.ref }} @@ -161,7 +161,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Breaking Change Checker" diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 790cf85a3e9..10871e8067e 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -137,7 +137,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Changeset Generator" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/changeset.lock.yml@${{ github.ref }} @@ -174,7 +174,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Changeset Generator" diff --git a/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml b/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml index 5d72dc74a60..968900de0b6 100644 --- a/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml +++ b/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml @@ -119,7 +119,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Chaos PR Bundle Fuzzer" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml@${{ github.ref }} @@ -155,7 +155,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Chaos PR Bundle Fuzzer" diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 6d23e3b644d..06b97f552e4 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -125,7 +125,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "CI Optimization Coach" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/ci-coach.lock.yml@${{ github.ref }} @@ -161,7 +161,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "CI Optimization Coach" diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 13b20f68033..0b8c22fa768 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -133,7 +133,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "CI Failure Doctor" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/ci-doctor.lock.yml@${{ github.ref }} @@ -173,7 +173,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "CI Failure Doctor" diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 16e46d23a64..ab3e51a4cf2 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -122,7 +122,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Claude Code User Documentation Review" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/claude-code-user-docs-review.lock.yml@${{ github.ref }} @@ -159,7 +159,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Claude Code User Documentation Review" diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 5c6356fde8a..136fbbea3d5 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -114,7 +114,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "CLI Consistency Checker" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/cli-consistency-checker.lock.yml@${{ github.ref }} @@ -151,7 +151,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "CLI Consistency Checker" diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 6e71f36b5b3..7c7d247d203 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -120,7 +120,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "CLI Version Checker" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/cli-version-checker.lock.yml@${{ github.ref }} @@ -157,7 +157,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "CLI Version Checker" diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index fefd31de488..df95bf82e22 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -142,7 +142,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "/cloclo" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/cloclo.lock.yml@${{ github.ref }} @@ -179,7 +179,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "/cloclo" diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index fd0aaec2d96..dafb9f62b9f 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -124,7 +124,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Code Scanning Fixer" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/code-scanning-fixer.lock.yml@${{ github.ref }} @@ -161,7 +161,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Code Scanning Fixer" diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 4db2b8693f5..f07a5681e64 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -125,7 +125,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Code Simplifier" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/code-simplifier.lock.yml@${{ github.ref }} @@ -162,7 +162,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Code Simplifier" diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 880777ed1fb..dc0f4769c34 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -113,7 +113,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Codex GitHub Remote MCP Test" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/codex-github-remote-mcp-test.lock.yml@${{ github.ref }} @@ -150,7 +150,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Codex GitHub Remote MCP Test" diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index da7c2a83067..2b10b0c7b56 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -119,7 +119,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Commit Changes Analyzer" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/commit-changes-analyzer.lock.yml@${{ github.ref }} @@ -156,7 +156,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Commit Changes Analyzer" diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 460bc913b4c..12f68b355a9 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -117,7 +117,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Constraint Solving — Problem of the Day" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/constraint-solving-potd.lock.yml@${{ github.ref }} @@ -154,7 +154,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Constraint Solving — Problem of the Day" diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index a287354267d..dac59468872 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -119,7 +119,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Contribution Check" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/contribution-check.lock.yml@${{ github.ref }} @@ -156,7 +156,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Contribution Check" diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index f66c8ed6164..e4e3ecee9c5 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -125,7 +125,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Copilot Agent PR Analysis" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/copilot-agent-analysis.lock.yml@${{ github.ref }} @@ -162,7 +162,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Copilot Agent PR Analysis" diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 1d0d471ab88..39dddcd80ab 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -116,7 +116,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Copilot CLI Deep Research Agent" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/copilot-cli-deep-research.lock.yml@${{ github.ref }} @@ -153,7 +153,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Copilot CLI Deep Research Agent" diff --git a/.github/workflows/copilot-opt.lock.yml b/.github/workflows/copilot-opt.lock.yml index 033776f844a..16dc3aaea2f 100644 --- a/.github/workflows/copilot-opt.lock.yml +++ b/.github/workflows/copilot-opt.lock.yml @@ -123,7 +123,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Copilot Opt" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/copilot-opt.lock.yml@${{ github.ref }} @@ -160,7 +160,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Copilot Opt" diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index abb4bb8941c..39530c8aaec 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -121,7 +121,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Copilot PR Merged Report" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/copilot-pr-merged-report.lock.yml@${{ github.ref }} @@ -158,7 +158,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Copilot PR Merged Report" diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 164b9f2c015..93a6a437ceb 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -126,7 +126,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Copilot PR Conversation NLP Analysis" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/copilot-pr-nlp-analysis.lock.yml@${{ github.ref }} @@ -163,7 +163,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Copilot PR Conversation NLP Analysis" diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 4bd2adea1c7..df4b42392db 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -123,7 +123,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Copilot PR Prompt Pattern Analysis" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/copilot-pr-prompt-analysis.lock.yml@${{ github.ref }} @@ -160,7 +160,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Copilot PR Prompt Pattern Analysis" diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index b779b20d7aa..e53b09072ac 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -129,7 +129,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Copilot Session Insights" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/copilot-session-insights.lock.yml@${{ github.ref }} @@ -166,7 +166,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Copilot Session Insights" diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 9801f75c0a1..843ba4c0981 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -123,7 +123,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Workflow Craft Agent" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/craft.lock.yml@${{ github.ref }} @@ -160,7 +160,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Workflow Craft Agent" diff --git a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml index 775c23454ba..c6b5744373d 100644 --- a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml +++ b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml @@ -127,7 +127,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Agent of the Day Blog Writer" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml@${{ github.ref }} @@ -164,7 +164,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Agent of the Day Blog Writer" diff --git a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml index 99f0c1f5b08..a0a0823b5ad 100644 --- a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml +++ b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml @@ -122,7 +122,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily AgentRx Trace Optimizer" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-agentrx-trace-optimizer.lock.yml@${{ github.ref }} @@ -159,7 +159,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily AgentRx Trace Optimizer" diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 9b891cceace..106fec4551b 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -122,7 +122,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Architecture Diagram Generator" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-architecture-diagram.lock.yml@${{ github.ref }} @@ -159,7 +159,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Architecture Diagram Generator" diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index b1852acfd72..3cdaac74cbc 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -114,7 +114,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Auto-Assign Issue" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-assign-issue-to-user.lock.yml@${{ github.ref }} @@ -151,7 +151,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Auto-Assign Issue" diff --git a/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml b/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml index 2e5b04ebb02..99b06ec6bab 100644 --- a/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml +++ b/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml @@ -119,7 +119,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily AstroStyleLite Markdown Spellcheck" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml@${{ github.ref }} @@ -156,7 +156,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily AstroStyleLite Markdown Spellcheck" diff --git a/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml b/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml index 73474a960aa..ab8a1cb87f5 100644 --- a/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml +++ b/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml @@ -120,7 +120,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily AW Cross-Repo Compile Check" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml@${{ github.ref }} @@ -157,7 +157,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily AW Cross-Repo Compile Check" diff --git a/.github/workflows/daily-byok-ollama-test.lock.yml b/.github/workflows/daily-byok-ollama-test.lock.yml index 41df1be63ba..e895b923cb8 100644 --- a/.github/workflows/daily-byok-ollama-test.lock.yml +++ b/.github/workflows/daily-byok-ollama-test.lock.yml @@ -98,7 +98,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily BYOK Ollama Test" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-byok-ollama-test.lock.yml@${{ github.ref }} @@ -133,7 +133,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily BYOK Ollama Test" diff --git a/.github/workflows/daily-cache-strategy-analyzer.lock.yml b/.github/workflows/daily-cache-strategy-analyzer.lock.yml index 8f7fd726132..383b15caffd 100644 --- a/.github/workflows/daily-cache-strategy-analyzer.lock.yml +++ b/.github/workflows/daily-cache-strategy-analyzer.lock.yml @@ -126,7 +126,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Cache Strategy Analyzer" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-cache-strategy-analyzer.lock.yml@${{ github.ref }} @@ -163,7 +163,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Cache Strategy Analyzer" @@ -1534,18 +1533,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.22' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_acc7ae0b7c340a21_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_9ce70292784dfbc2_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["^CODEX_API_KEY$", "^HOME$", "^OPENAI_API_KEY$", "^PATH$"] - GH_AW_MCP_CONFIG_acc7ae0b7c340a21_EOF + GH_AW_MCP_CONFIG_9ce70292784dfbc2_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_7054362dfbe99697_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_d2a3cc6b27fd2cd8_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1556,11 +1555,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_7054362dfbe99697_EOF + GH_AW_MCP_CONFIG_d2a3cc6b27fd2cd8_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_e5b973df5cea351e_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_bbc6f1e364b5e05e_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1570,7 +1569,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["^CODEX_API_KEY$", "^HOME$", "^OPENAI_API_KEY$", "^PATH$"] - GH_AW_CODEX_SHELL_POLICY_e5b973df5cea351e_EOF + GH_AW_CODEX_SHELL_POLICY_bbc6f1e364b5e05e_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/daily-caveman-optimizer.lock.yml b/.github/workflows/daily-caveman-optimizer.lock.yml index d426cc70bcc..ba63861b503 100644 --- a/.github/workflows/daily-caveman-optimizer.lock.yml +++ b/.github/workflows/daily-caveman-optimizer.lock.yml @@ -120,7 +120,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Caveman Optimizer" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-caveman-optimizer.lock.yml@${{ github.ref }} @@ -157,7 +157,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Caveman Optimizer" diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 1d4cd2a0bb5..f5e1c29daae 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -117,7 +117,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Choice Type Test" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-choice-test.lock.yml@${{ github.ref }} @@ -154,7 +154,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Choice Type Test" diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 4cd07049eb0..4cbf0ff7524 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -148,7 +148,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily CLI Performance Agent" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-cli-performance.lock.yml@${{ github.ref }} @@ -185,7 +185,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily CLI Performance Agent" diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 0d75714ec80..da7abd0fbcc 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -122,7 +122,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily CLI Tools Exploratory Tester" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-cli-tools-tester.lock.yml@${{ github.ref }} @@ -159,7 +159,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily CLI Tools Exploratory Tester" diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index a19a27e7f46..03f07b9cb1e 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -126,7 +126,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Code Metrics and Trend Tracking Agent" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-code-metrics.lock.yml@${{ github.ref }} @@ -163,7 +163,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Code Metrics and Trend Tracking Agent" diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index 9505af2d050..d0a2dce6482 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -121,7 +121,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Community Attribution Updater" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-community-attribution.lock.yml@${{ github.ref }} @@ -158,7 +158,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Community Attribution Updater" diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index fb08d9ce17d..2ebc814220b 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -126,7 +126,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Compiler Quality Check" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-compiler-quality.lock.yml@${{ github.ref }} @@ -163,7 +163,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Compiler Quality Check" diff --git a/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml b/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml index 2dcd8b50a9e..d7e1c0f712f 100644 --- a/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml +++ b/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml @@ -121,7 +121,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Compiler Threat Spec Optimizer" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml@${{ github.ref }} @@ -158,7 +158,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Compiler Threat Spec Optimizer" diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index f98527a25b9..aef4e3a847c 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -124,7 +124,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Documentation Healer" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-doc-healer.lock.yml@${{ github.ref }} @@ -161,7 +161,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Documentation Healer" diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index b2f5aa60fbd..3ef5406dede 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -120,7 +120,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Documentation Updater" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-doc-updater.lock.yml@${{ github.ref }} @@ -157,7 +157,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Documentation Updater" diff --git a/.github/workflows/daily-experiment-report.lock.yml b/.github/workflows/daily-experiment-report.lock.yml index f8daf0d2954..b3bb28012bb 100644 --- a/.github/workflows/daily-experiment-report.lock.yml +++ b/.github/workflows/daily-experiment-report.lock.yml @@ -122,7 +122,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "daily-experiment-report" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-experiment-report.lock.yml@${{ github.ref }} @@ -159,7 +159,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "daily-experiment-report" diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 86a8c139fa0..96a8e5b42e5 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -126,7 +126,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Fact About gh-aw" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-fact.lock.yml@${{ github.ref }} @@ -163,7 +163,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Fact About gh-aw" @@ -1591,18 +1590,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.22' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_36c928a19f34a3e6_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_6d5b3068edab0343_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["^CODEX_API_KEY$", "^HOME$", "^OPENAI_API_KEY$", "^PATH$"] - GH_AW_MCP_CONFIG_36c928a19f34a3e6_EOF + GH_AW_MCP_CONFIG_6d5b3068edab0343_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_eec5ea07bd9ad602_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_9e0d09399e77bf00_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1613,11 +1612,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_eec5ea07bd9ad602_EOF + GH_AW_MCP_CONFIG_9e0d09399e77bf00_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_cada02899cd7c9c0_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_8b198e6a4c2b25a4_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1627,7 +1626,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["^CODEX_API_KEY$", "^HOME$", "^OPENAI_API_KEY$", "^PATH$"] - GH_AW_CODEX_SHELL_POLICY_cada02899cd7c9c0_EOF + GH_AW_CODEX_SHELL_POLICY_8b198e6a4c2b25a4_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index b433d888d36..67eccfea058 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -128,7 +128,7 @@ jobs: job-name: ${{ github.job }} trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }} parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily File Diet" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-file-diet.lock.yml@${{ github.ref }} @@ -165,7 +165,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily File Diet" diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 167cdb7aa6c..2441191e91b 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -127,7 +127,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Firewall Logs Collector and Reporter" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-firewall-report.lock.yml@${{ github.ref }} @@ -164,7 +164,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Firewall Logs Collector and Reporter" diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index 2b36105b946..b62f14882d1 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -125,7 +125,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Go Function Namer" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-function-namer.lock.yml@${{ github.ref }} @@ -162,7 +162,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Go Function Namer" diff --git a/.github/workflows/daily-geo-optimizer.lock.yml b/.github/workflows/daily-geo-optimizer.lock.yml index 334a878f6fe..29b59c3d7e6 100644 --- a/.github/workflows/daily-geo-optimizer.lock.yml +++ b/.github/workflows/daily-geo-optimizer.lock.yml @@ -120,7 +120,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "GEO Optimizer Daily Audit" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-geo-optimizer.lock.yml@${{ github.ref }} @@ -157,7 +157,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "GEO Optimizer Daily Audit" diff --git a/.github/workflows/daily-grafana-otel-instrumentation-advisor.lock.yml b/.github/workflows/daily-grafana-otel-instrumentation-advisor.lock.yml index b8947cda74c..27511220c00 100644 --- a/.github/workflows/daily-grafana-otel-instrumentation-advisor.lock.yml +++ b/.github/workflows/daily-grafana-otel-instrumentation-advisor.lock.yml @@ -124,7 +124,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Grafana OTel Instrumentation Advisor" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-grafana-otel-instrumentation-advisor.lock.yml@${{ github.ref }} @@ -161,7 +161,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Grafana OTel Instrumentation Advisor" diff --git a/.github/workflows/daily-hippo-learn.lock.yml b/.github/workflows/daily-hippo-learn.lock.yml index bd72fc1bbe4..75d07dc7cc4 100644 --- a/.github/workflows/daily-hippo-learn.lock.yml +++ b/.github/workflows/daily-hippo-learn.lock.yml @@ -119,7 +119,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Hippo Learn" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-hippo-learn.lock.yml@${{ github.ref }} @@ -156,7 +156,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Hippo Learn" diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 6155d4bab53..db8c82752e6 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -130,7 +130,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Issues Report Generator" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-issues-report.lock.yml@${{ github.ref }} @@ -167,7 +167,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Issues Report Generator" diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index c43e73667a5..0c173624b4d 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -118,7 +118,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily Malicious Code Scan Agent" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-malicious-code-scan.lock.yml@${{ github.ref }} @@ -155,7 +155,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily Malicious Code Scan Agent" diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index cc375dc3424..f60e5fc14cf 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -124,7 +124,7 @@ jobs: with: destination: ${{ runner.temp }}/gh-aw/actions job-name: ${{ github.job }} - safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} + safe-output-artifact-client: 'true' env: GH_AW_SETUP_WORKFLOW_NAME: "Daily MCP Tool Concurrency Analysis" GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/daily-mcp-concurrency-analysis.lock.yml@${{ github.ref }} @@ -161,7 +161,6 @@ jobs: await main(core, context); - name: Check daily workflow token guardrail id: daily-effective-workflow-guardrail - if: ${{ env.GH_AW_MAX_DAILY_EFFECTIVE_TOKENS != '' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: GH_AW_WORKFLOW_NAME: "Daily MCP Tool Concurrency Analysis" From 351ea8293d70509921f9a8428b432e31e528ba8d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 1 Jun 2026 14:35:57 +0000 Subject: [PATCH 5/5] Align manifest private blocking with private:true semantics Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- ...ect-private-field-in-manifest-workflows.md | 24 +++++++++---------- pkg/cli/add_package_manifest.go | 6 +---- pkg/cli/add_package_manifest_test.go | 8 +++---- pkg/cli/add_workflow_resolution.go | 7 ++---- pkg/cli/compile_repository_manifest_test.go | 8 +++---- 5 files changed, 23 insertions(+), 30 deletions(-) diff --git a/docs/adr/36227-reject-private-field-in-manifest-workflows.md b/docs/adr/36227-reject-private-field-in-manifest-workflows.md index f3a49ff205a..1ea0efc08e0 100644 --- a/docs/adr/36227-reject-private-field-in-manifest-workflows.md +++ b/docs/adr/36227-reject-private-field-in-manifest-workflows.md @@ -1,37 +1,37 @@ -# ADR-36227: Reject the `private` Field in Manifest-Listed Installable Workflows +# ADR-36227: Enforce `private: true` for Add/Package Blocking **Date**: 2026-06-01 **Status**: Draft ## Context -`aw.yml` package manifests can list installable workflows that other repositories add via `gh aw add` / `gh aw add-wizard`. The `private` frontmatter field was designed to block a standalone workflow from being installed elsewhere (`private: true`), but the manifest resolution path only consulted `ExtractWorkflowPrivate`, which returned `false` for both an absent field and an explicit `private: false`. As a result, a manifest could list a workflow declaring `private: false`, and that declaration would silently pass — leaking an installation-control field into package manifests where it has no coherent meaning. A workflow that is listed in a manifest is, by definition, meant to be installed, so any `private` declaration on it (true *or* false) is contradictory and should be surfaced rather than ignored. +`aw.yml` package manifests can list installable workflows that other repositories add via `gh aw add` / `gh aw add-wizard`. The `private` frontmatter field is intended to block installation only when it is explicitly set to `true`. Manifest-backed resolution and compile-time validation must preserve that semantics consistently, so package workflows only fail when they declare `private: true`. ## Decision -We will treat the presence of a `private` field on a manifest-listed installable workflow as a manifest validation error, distinguishing presence from value. We split `ExtractWorkflowPrivate(content) bool` into a presence-aware `ExtractWorkflowPrivateSetting(content) (value, present bool)`, keeping `ExtractWorkflowPrivate` as a thin wrapper for the existing standalone-add behavior. Both manifest-backed resolution (`ResolveWorkflows` for `FromRepositoryManifest` specs) and compile-time local manifest validation (`validateLocalRepositoryPackageContents`) now reject any listed workflow that declares `private`, emitting manifest-scoped errors that name the offending workflow path: `private: true` reports that private workflows cannot be added, and `private: false` instructs the author to remove the field. +We keep `ExtractWorkflowPrivateSetting(content) (value, present bool)` for frontmatter parsing, but manifest-backed resolution (`ResolveWorkflows` for `FromRepositoryManifest` specs) and compile-time local manifest validation reject only `private: true`. `private: false` remains installable. ## Alternatives Considered -### Alternative 1: Keep value-only extraction and reject only `private: true` -Continue using the boolean-only `ExtractWorkflowPrivate` and reject manifest workflows only when it returns `true`. This was rejected because it cannot distinguish an absent field from `private: false`, so the originally-reported leak (`private: false` slipping into a manifest) would remain silently accepted, and authors would get no signal that the field is meaningless in a manifest context. +### Alternative 1: Reject any manifest-listed `private` declaration +Reject `private: true` and `private: false` equally for manifest-listed workflows. This was rejected because `private: false` is not a disable signal and should not block install/package behavior. -### Alternative 2: Strip or normalize the `private` field during manifest install instead of erroring -Silently drop the `private` field when resolving manifest workflows so installation proceeds regardless. This was rejected because silent normalization hides author intent and conflicts with the project's fail-loud manifest-validation posture; an explicit, path-scoped error is more debuggable and prevents shipping manifests that encode contradictory intent. +### Alternative 2: Strip or normalize the `private` field during manifest install instead of respecting value +Silently normalize `private` during manifest resolution. This was rejected because it hides intent; explicit `private: true` should continue to fail loudly. ## Consequences ### Positive -- Closes the leak where `private: false` in a manifest-listed workflow was silently accepted; the field is now rejected at both add time and compile time. -- Error messages are presence- and value-aware and name the offending workflow path, making the fix obvious to manifest authors. +- Add/package and compile-time validation consistently reject only workflows that declare `private: true`. +- Error messages continue to name the offending workflow path when rejection occurs. ### Negative -- Existing published manifests that list workflows carrying any `private` declaration will now fail to add/compile until the field is removed — a breaking change for those packages. -- Introduces a second extraction function (`ExtractWorkflowPrivateSetting` alongside `ExtractWorkflowPrivate`) and parallel rejection logic in both the resolution and compile-time paths that must stay in sync. +- Existing manifests using `private: false` remain installable; only `private: true` workflows are blocked. +- Introduces a second extraction function (`ExtractWorkflowPrivateSetting` alongside `ExtractWorkflowPrivate`) and parallel checks in both the resolution and compile-time paths that must stay in sync. ### Neutral - Standalone (non-manifest) workflow adds are unchanged: `private: true` still blocks installation via the preserved `ExtractWorkflowPrivate` path. -- Compile-time validation now scans manifest-listed installable paths (explicit `files:`/`includes:` entries, or discovered package directories) to apply the rule uniformly. +- Compile-time validation scans manifest-listed installable paths (explicit `files:`/`includes:` entries, or discovered package directories) using the same `private: true` semantics. --- diff --git a/pkg/cli/add_package_manifest.go b/pkg/cli/add_package_manifest.go index e81233be5ea..e640c37fe0e 100644 --- a/pkg/cli/add_package_manifest.go +++ b/pkg/cli/add_package_manifest.go @@ -717,13 +717,9 @@ func validateManifestInstallableWorkflowPrivacy(manifestPath string, installatio } privateValue, hasPrivate := ExtractWorkflowPrivateSetting(string(content)) - if !hasPrivate { - continue - } - if privateValue { + if hasPrivate && privateValue { return fmt.Errorf("invalid Agentic Workflow manifest %q: workflow %q sets private: true and cannot be included because private workflows cannot be added", manifestPath, installationSource) } - return fmt.Errorf("invalid Agentic Workflow manifest %q: workflow %q sets private: false; remove the private field because manifest-listed workflows must not declare it", manifestPath, installationSource) } return nil diff --git a/pkg/cli/add_package_manifest_test.go b/pkg/cli/add_package_manifest_test.go index a8099cc968b..d2595c46223 100644 --- a/pkg/cli/add_package_manifest_test.go +++ b/pkg/cli/add_package_manifest_test.go @@ -473,7 +473,7 @@ files: assert.Equal(t, ".github/workflows/nightly-review.md", resolved.Workflows[1].Spec.WorkflowPath) } -func TestResolveWorkflows_RepositoryPackageRejectsPrivateFalse(t *testing.T) { +func TestResolveWorkflows_RepositoryPackageRejectsPrivateTrue(t *testing.T) { originalFetchFn := fetchWorkflowFromSourceWithContextFn originalDownload := downloadPackageFileFromGitHubForHost originalList := listPackageWorkflowFilesForHost @@ -504,7 +504,7 @@ func TestResolveWorkflows_RepositoryPackageRejectsPrivateFalse(t *testing.T) { case "README.md": return []byte("# Repo Assist\n"), nil case "workflows/review.md": - return []byte("---\nprivate: false\n---\n\n# Review\n"), nil + return []byte("---\nprivate: true\n---\n\n# Review\n"), nil default: return nil, createRepositoryPackageNotFoundError(path) } @@ -515,7 +515,7 @@ func TestResolveWorkflows_RepositoryPackageRejectsPrivateFalse(t *testing.T) { } fetchWorkflowFromSourceWithContextFn = func(_ context.Context, spec *WorkflowSpec, _ bool) (*FetchedWorkflow, error) { return &FetchedWorkflow{ - Content: []byte("---\nprivate: false\n---\n\n# Review\n"), + Content: []byte("---\nprivate: true\n---\n\n# Review\n"), CommitSHA: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", IsLocal: false, SourcePath: spec.WorkflowPath, @@ -524,7 +524,7 @@ func TestResolveWorkflows_RepositoryPackageRejectsPrivateFalse(t *testing.T) { _, err := ResolveWorkflows(context.Background(), []string{"owner/repo"}, false) require.Error(t, err) - assert.Contains(t, err.Error(), `workflow "workflows/review.md" sets private: false`) + assert.Contains(t, err.Error(), `workflow "workflows/review.md" sets private: true`) } func TestResolveWorkflows_NestedRepositoryPackage(t *testing.T) { diff --git a/pkg/cli/add_workflow_resolution.go b/pkg/cli/add_workflow_resolution.go index bebcd640721..ba04ba6230c 100644 --- a/pkg/cli/add_workflow_resolution.go +++ b/pkg/cli/add_workflow_resolution.go @@ -216,12 +216,9 @@ func ResolveWorkflows(ctx context.Context, workflows []string, verbose bool) (*R if spec.FromRepositoryManifest { privateValue, hasPrivate := ExtractWorkflowPrivateSetting(string(fetched.Content)) - if hasPrivate { + if hasPrivate && privateValue { manifestPath := joinRepositoryPackagePath(spec.PackagePath, repositoryPackageManifestFileName) - if privateValue { - return nil, fmt.Errorf("invalid Agentic Workflow manifest %q: workflow %q sets private: true and cannot be included because private workflows cannot be added", manifestPath, resolvedSpec.WorkflowPath) - } - return nil, fmt.Errorf("invalid Agentic Workflow manifest %q: workflow %q sets private: false; remove the private field because manifest-listed workflows must not declare it", manifestPath, resolvedSpec.WorkflowPath) + return nil, fmt.Errorf("invalid Agentic Workflow manifest %q: workflow %q sets private: true and cannot be included because private workflows cannot be added", manifestPath, resolvedSpec.WorkflowPath) } } diff --git a/pkg/cli/compile_repository_manifest_test.go b/pkg/cli/compile_repository_manifest_test.go index 624245fae73..9cf78b1f76b 100644 --- a/pkg/cli/compile_repository_manifest_test.go +++ b/pkg/cli/compile_repository_manifest_test.go @@ -180,8 +180,8 @@ name: Repo Assist assert.Contains(t, err.Error(), "missing required README.md") } -func TestCompileWorkflows_RejectsManifestWorkflowWithPrivateFalse(t *testing.T) { - tmpDir := testutil.TempDir(t, "aw-manifest-private-false-*") +func TestCompileWorkflows_RejectsManifestWorkflowWithPrivateTrue(t *testing.T) { + tmpDir := testutil.TempDir(t, "aw-manifest-private-true-*") originalWd, err := os.Getwd() require.NoError(t, err) t.Cleanup(func() { _ = os.Chdir(originalWd) }) @@ -193,7 +193,7 @@ func TestCompileWorkflows_RejectsManifestWorkflowWithPrivateFalse(t *testing.T) require.NoError(t, os.MkdirAll(filepath.Join(tmpDir, "workflows"), 0o755)) require.NoError(t, os.WriteFile(filepath.Join(tmpDir, "workflows", "review.md"), []byte(`--- -private: false +private: true --- # Review @@ -207,7 +207,7 @@ files: _, err = CompileWorkflows(context.Background(), CompileConfig{}) require.Error(t, err) - assert.Contains(t, err.Error(), `workflow "workflows/review.md" sets private: false`) + assert.Contains(t, err.Error(), `workflow "workflows/review.md" sets private: true`) } func TestValidateRepositoryManifestForCompilation_PropagatesGitRootErrors(t *testing.T) {