Remove deprecated top-level run-install-scripts frontmatter field#36387
Merged
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
Remove top-level run-install-scripts frontmatter field
Remove deprecated top-level Jun 2, 2026
run-install-scripts frontmatter field
Copilot created this pull request from a session on behalf of
pelikhan
June 2, 2026 01:51
View session
pelikhan
approved these changes
Jun 2, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes the deprecated top-level run-install-scripts frontmatter key and reinforces the runtime-scoped configuration model by keeping support under runtimes.node.run-install-scripts.
Changes:
- Removed top-level
run-install-scriptsfrommain_workflow_schema.json. - Removed the top-level
RunInstallScriptsfield from the typedFrontmatterConfigGo model and updated related internal comments to referenceruntimes.node. - Regenerated
.github/workflows/audit-workflows.lock.yml, introducing substantial workflow behavior changes.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/frontmatter_types.go | Removes the typed top-level RunInstallScripts field from FrontmatterConfig. |
| pkg/workflow/compiler_types.go | Updates WorkflowData comment to reference runtimes.node.run-install-scripts. |
| pkg/workflow/compiler_orchestrator_tools.go | Updates internal comment to reference runtimes.node.run-install-scripts. |
| pkg/parser/schemas/main_workflow_schema.json | Removes top-level schema property; refines runtime property description. |
| pkg/parser/import_processor.go | Updates comment to runtime-scoped semantics. |
| pkg/parser/import_field_extractor.go | Updates comment to runtime-scoped semantics. |
| .github/workflows/audit-workflows.lock.yml | Large regeneration with additional steps and behavior changes (beyond frontmatter contract update). |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 7/7 changed files
- Comments generated: 2
Comment on lines
10129
to
10133
| "run-install-scripts": { | ||
| "type": "boolean", | ||
| "default": false, | ||
| "description": "Allow npm pre/post install scripts to execute for this runtime during package installation. Overrides the global run-install-scripts setting for this specific runtime. Only affects runtimes that generate npm install commands (node). A supply chain security warning is emitted at compile time; in strict mode this is an error. See: https://github.github.com/gh-aw/reference/frontmatter/#run-install-scripts", | ||
| "description": "Allow npm pre/post install scripts to execute during package installation. A supply chain security warning is emitted at compile time; in strict mode this is an error. See: https://github.github.com/gh-aw/reference/frontmatter/#run-install-scripts", | ||
| "examples": [false, true] |
Comment on lines
+1
to
5
| # gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"cd18c35dfadc12bd2ec5d9708151ceef4203a63458cdc2ba743844b3b9ca2171","body_hash":"975c6cd4bcdc7582a0cc51cf1dc2dbdf5cb819352a2b26d3b35785f4cc8daf46","strict":true,"agent_id":"claude"} | ||
| # gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/cache/save","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"docker/build-push-action","sha":"f9f3042f7e2789586610d6e8b85c8f03e5195baf","version":"v7.2.0"},{"repo":"docker/setup-buildx-action","sha":"d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5","version":"v4.1.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.58"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.58"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.58"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.22"},{"image":"ghcr.io/github/github-mcp-server:v1.1.0"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} | ||
| # ___ _ _ | ||
| # / _ \ | | (_) | ||
| # | |_| | __ _ ___ _ __ | |_ _ ___ |
github-actions Bot
added a commit
that referenced
this pull request
Jun 2, 2026
…tmatter fields Add curated reference entries for two top-/runtime-level frontmatter fields that were previously only present in the auto-generated frontmatter-full.md: - check-for-updates (top-level, default true) — activation-job version check - runtimes.<runtime>.run-install-scripts (default false) — now the only valid form after the top-level field was removed (#36387) Both headings use the field-name slug so the in-schema anchor links (#check-for-updates, #run-install-scripts) resolve to real headings, addressing the still-present gap tracked in #36275. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
run-install-scriptswas still accepted at the top level even though runtime-scoped configuration now lives underruntimes.node. This PR tightens the frontmatter contract so install-script behavior is configured only in the Node runtime block.Schema contract
run-install-scriptsfrommain_workflow_schema.json.runtimes.*.run-install-scriptssupport and clarified its description to reflect the runtime-scoped model.Typed frontmatter model
RunInstallScriptsfromFrontmatterConfigto align Go types with the schema and avoid implying top-level support.Parser/compiler consistency
runtimes.node.