From 670013c62a682eb9196465ef505eb529a642f559 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 25 Mar 2026 00:22:08 +0000 Subject: [PATCH 1/7] Initial plan From 38632c9ce2765f57b42880c4a791bf49f11fdf7c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 25 Mar 2026 00:54:08 +0000 Subject: [PATCH 2/7] Apply DIFC integrity filtering to pre-agentic activation job steps MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Inject DIFC proxy start/stop into buildActivationJob so that all actions/github-script calls (add_reaction, check_workflow_timestamp, compute_text, add_workflow_run_comment, lock-issue, remove_trigger_label, etc.) are routed through integrity filtering when min-integrity is set. The proxy startup script already sets GITHUB_API_URL, GITHUB_GRAPHQL_URL, NODE_EXTRA_CA_CERTS, and GH_HOST via $GITHUB_ENV, so no per-step base-url injection is needed — all subsequent Octokit calls are intercepted automatically. Condition used: hasDIFCGuardsConfigured (same as indexing job), since the activation job always makes GitHub API calls via github-script regardless of custom steps. Also updates the package comment in compiler_difc_proxy.go and adds TestDIFCProxyInjectedInActivationJob tests. Recompiled all 177 workflow lock files. Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/dbd57cd2-a5f2-480b-aa12-24198fde2259 --- .github/workflows/contribution-check.lock.yml | 11 +- .../workflows/daily-issues-report.lock.yml | 11 +- .../workflows/discussion-task-miner.lock.yml | 11 +- .github/workflows/grumpy-reviewer.lock.yml | 11 +- .github/workflows/issue-arborist.lock.yml | 11 +- .github/workflows/issue-monster.lock.yml | 11 +- .github/workflows/issue-triage-agent.lock.yml | 11 +- .github/workflows/org-health-report.lock.yml | 11 +- .github/workflows/plan.lock.yml | 11 +- .github/workflows/pr-triage-agent.lock.yml | 11 +- .github/workflows/q.lock.yml | 11 +- .github/workflows/refiner.lock.yml | 11 +- .github/workflows/scout.lock.yml | 11 +- .../workflows/smoke-agent-all-merged.lock.yml | 11 +- .../workflows/smoke-agent-all-none.lock.yml | 11 +- .../smoke-agent-public-approved.lock.yml | 11 +- .../smoke-agent-public-none.lock.yml | 11 +- .../smoke-agent-scoped-approved.lock.yml | 11 +- .../workflows/stale-repo-identifier.lock.yml | 11 +- .../weekly-blog-post-writer.lock.yml | 11 +- .../workflows/weekly-issue-summary.lock.yml | 11 +- .../weekly-safe-outputs-spec-review.lock.yml | 11 +- .github/workflows/workflow-generator.lock.yml | 11 +- pkg/workflow/compiler_activation_job.go | 22 +++ pkg/workflow/compiler_difc_proxy.go | 19 ++- pkg/workflow/compiler_difc_proxy_test.go | 148 ++++++++++++++++++ 26 files changed, 416 insertions(+), 26 deletions(-) diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 5f0969a1fd..0682a80ff9 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -69,6 +69,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"none","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -84,7 +89,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -240,6 +245,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 986279e4fc..e9207f3c03 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -78,6 +78,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -93,7 +98,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","python"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -276,6 +281,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 3e7f3f795c..09f3b6a62e 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -71,6 +71,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +91,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -252,6 +257,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index c5506ddc56..617fd42151 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -82,6 +82,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -97,7 +102,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -310,6 +315,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 1e2c8b90d9..8790bc4a3e 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -72,6 +72,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -87,7 +92,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -246,6 +251,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 013c09aef7..767226b509 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -435,6 +435,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -450,7 +455,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -619,6 +624,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index f56f402378..3b7d8f54cf 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -69,6 +69,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -84,7 +89,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -239,6 +244,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index af5d23fc93..9f44293736 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -73,6 +73,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -88,7 +93,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","python"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -257,6 +262,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 5428298944..6083647c8c 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -75,6 +75,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"none","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +95,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -292,6 +297,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 1dd29b864c..0da1fee5dd 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -66,6 +66,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -81,7 +86,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -248,6 +253,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 623e2160dc..5234105069 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -101,6 +101,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"none","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -116,7 +121,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -339,6 +344,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index e5e902dc8f..22fd02b5f4 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -82,6 +82,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -97,7 +102,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -269,6 +274,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index cfc758485b..1c24c2fc59 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -125,6 +125,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"none","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -140,7 +145,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -382,6 +387,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index 679f9f9f3a..7a8ab0a29e 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -81,6 +81,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"merged","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -96,7 +101,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -273,6 +278,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 04c7e7ed81..d350d83a19 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -81,6 +81,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"none","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -96,7 +101,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -273,6 +278,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 5ebda14bca..67ef6e4e0f 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -81,6 +81,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"public"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -96,7 +101,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -273,6 +278,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index b75e9d4ff7..8695c4a316 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -81,6 +81,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"none","repos":"public"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -96,7 +101,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -273,6 +278,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 282c6fc90b..0478c46951 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -81,6 +81,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":["github/gh-aw","github/*"]}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -96,7 +101,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -273,6 +278,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 0718475694..0b2350cf32 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -81,6 +81,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -96,7 +101,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github","python"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -274,6 +279,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index aecd9568a7..217d2c4eb9 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -71,6 +71,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":["github/gh-aw"]}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +91,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -264,6 +269,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 2fcafb7da1..44d31e0c97 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -72,6 +72,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -87,7 +92,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","node","python"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -257,6 +262,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index b669ea9204..9e424803b5 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -67,6 +67,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -82,7 +87,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -236,6 +241,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 88e76970c2..ec809e945a 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -70,6 +70,11 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions + - name: Start DIFC proxy for pre-agent gh calls + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -85,7 +90,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_AWMG_VERSION: "v0.2.6" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -270,6 +275,10 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh + - name: Stop DIFC proxy + if: always() + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 diff --git a/pkg/workflow/compiler_activation_job.go b/pkg/workflow/compiler_activation_job.go index fb7808c531..772ef1bda7 100644 --- a/pkg/workflow/compiler_activation_job.go +++ b/pkg/workflow/compiler_activation_job.go @@ -35,6 +35,21 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate // Activation job doesn't need project support (no safe outputs processed here) steps = append(steps, c.generateSetupStep(setupActionRef, SetupActionDestination, false)...) + // Start DIFC proxy early in the activation job, immediately after setup and before any + // actions/github-script or gh CLI step. The proxy startup script sets GITHUB_API_URL, + // GITHUB_GRAPHQL_URL, NODE_EXTRA_CA_CERTS, and GH_HOST via $GITHUB_ENV so all subsequent + // github-script Octokit calls are routed through integrity filtering automatically. + // We track whether the proxy was actually started so we only emit the stop step when needed. + var difcProxyInjectedInActivation bool + if hasDIFCGuardsConfigured(data) { + compilerActivationJobLog.Print("DIFC guards configured; injecting proxy start into activation job") + startStep := c.buildStartDIFCProxyStepYAML(data) + if startStep != "" { + steps = append(steps, startStep) + difcProxyInjectedInActivation = true + } + } + // When a workflow_call trigger is present, resolve the platform (host) repository before // generating aw_info so that target_repo can be included in aw_info.json and used by // the checkout step. This is necessary for event-driven relays (e.g. on: issue_comment) @@ -451,6 +466,13 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate // That job builds the index and saves/restores it via the GitHub Actions cache, and the agent job // restores the index using actions/cache/restore. + // Stop DIFC proxy before artifact upload. The stop step always runs (if: always()) to + // ensure the container and CA cert are cleaned up even when earlier steps failed. + if difcProxyInjectedInActivation { + compilerActivationJobLog.Print("DIFC proxy was started; injecting proxy stop step into activation job") + steps = append(steps, buildStopDIFCProxyStepYAML()) + } + // Upload aw_info.json and prompt.txt as the activation artifact for the agent job to download. // In workflow_call context the artifact is prefixed to avoid name clashes when multiple callers // invoke the same reusable workflow within the same parent workflow run. diff --git a/pkg/workflow/compiler_difc_proxy.go b/pkg/workflow/compiler_difc_proxy.go index c7a2846b23..ff83b059e8 100644 --- a/pkg/workflow/compiler_difc_proxy.go +++ b/pkg/workflow/compiler_difc_proxy.go @@ -19,15 +19,20 @@ package workflow // addition to GH_HOST, so it intercepts Octokit calls as well. Proxy wrapping is therefore // also injected around qmd indexing steps when DIFC guards are configured. // +// Note: activation job GitHub API calls (reactions, timestamp checks, body fetch, comments, +// lock, label removal) are also made via actions/github-script. The proxy is therefore also +// injected into the activation job when DIFC guards are configured. +// // The proxy uses the same container image as the MCP gateway (gh-aw-mcpg) // but runs in "proxy" mode with --guards-mode filter (graceful degradation) // and --tls (required by the gh CLI HTTPS-only constraint). // // Injection conditions: // -// Main job: GitHub tool has explicit guard policies (min-integrity set) AND -// custom steps set GH_TOKEN -// Indexing job: GitHub tool has explicit guard policies (min-integrity set) +// Main job: GitHub tool has explicit guard policies (min-integrity set) AND +// custom steps set GH_TOKEN +// Activation job: GitHub tool has explicit guard policies (min-integrity set) +// Indexing job: GitHub tool has explicit guard policies (min-integrity set) // // Proxy lifecycle within the main job: // 1. Start proxy — after "Configure gh CLI" step, before custom steps @@ -36,6 +41,14 @@ package workflow // 3. Stop proxy — before MCP gateway starts (generateMCPSetup); always runs // even if earlier steps failed (if: always(), continue-on-error: true) // +// Proxy lifecycle within the activation job: +// 1. Start proxy — after setup step, before any actions/github-script or gh CLI step +// 2. All activation github-script steps run with all proxy env vars set +// (GITHUB_API_URL, GITHUB_GRAPHQL_URL, NODE_EXTRA_CA_CERTS, GH_HOST); +// Octokit calls in actions/github-script are intercepted automatically +// 3. Stop proxy — before activation artifact upload; always runs +// (if: always(), continue-on-error: true) +// // Proxy lifecycle within the indexing job: // 1. Start proxy — before qmd index-building steps // 2. qmd steps run with all proxy env vars set (GH_HOST, GITHUB_API_URL, GITHUB_GRAPHQL_URL, diff --git a/pkg/workflow/compiler_difc_proxy_test.go b/pkg/workflow/compiler_difc_proxy_test.go index 98823ec0cc..c8c98a56ee 100644 --- a/pkg/workflow/compiler_difc_proxy_test.go +++ b/pkg/workflow/compiler_difc_proxy_test.go @@ -633,3 +633,151 @@ func TestDIFCProxyInjectedInIndexingJob(t *testing.T) { "indexing job should NOT include proxy stop step without guard policy") }) } + +// TestDIFCProxyInjectedInActivationJob verifies that DIFC proxy steps are injected +// into the activation job when guard policies are configured. +func TestDIFCProxyInjectedInActivationJob(t *testing.T) { + t.Run("proxy injected in activation job when guard policy configured", func(t *testing.T) { + workflow := `--- +on: issues +engine: copilot +tools: + github: + mode: local + toolsets: [default] + min-integrity: approved +--- + +# Test Workflow + +Test that DIFC proxy is injected into the activation job when min-integrity is set. +` + compiler := NewCompiler() + data, err := compiler.ParseWorkflowString(workflow, "test-workflow.md") + require.NoError(t, err, "parsing should succeed") + + result, err := compiler.CompileToYAML(data, "test-workflow.md") + require.NoError(t, err, "compilation should succeed") + + // Find the activation job section + activationIdx := strings.Index(result, "activation:") + require.Greater(t, activationIdx, -1, "activation job should be present") + + // Find the agent job section (to bound our search to the activation job) + agentIdx := strings.Index(result, "agent:") + require.Greater(t, agentIdx, -1, "agent job should be present") + + // Extract activation job content (before agent job) + activationSection := result[activationIdx:agentIdx] + + // Proxy start must be present in activation job + assert.Contains(t, activationSection, "Start DIFC proxy for pre-agent gh calls", + "activation job should contain proxy start step when guard policy is configured") + + // Proxy stop must be present in activation job + assert.Contains(t, activationSection, "Stop DIFC proxy", + "activation job should contain proxy stop step when guard policy is configured") + + // Proxy start must come before proxy stop + startIdx := strings.Index(activationSection, "Start DIFC proxy for pre-agent gh calls") + stopIdx := strings.Index(activationSection, "Stop DIFC proxy") + assert.Less(t, startIdx, stopIdx, "Start proxy must come before Stop proxy in activation job") + + // Proxy start must come before the first github-script step (add reaction, timestamp check, etc.) + // Verify start comes before the "Upload activation artifact" step + uploadIdx := strings.Index(activationSection, "Upload activation artifact") + require.Greater(t, uploadIdx, -1, "activation artifact upload step should be present") + assert.Less(t, stopIdx, uploadIdx, "Stop DIFC proxy must come before artifact upload") + }) + + t.Run("proxy not injected in activation job without guard policy", func(t *testing.T) { + workflow := `--- +on: issues +engine: copilot +tools: + github: + mode: local + toolsets: [default] +--- + +# Test Workflow + +Test that DIFC proxy is NOT injected into the activation job when min-integrity is not set. +` + compiler := NewCompiler() + data, err := compiler.ParseWorkflowString(workflow, "test-workflow.md") + require.NoError(t, err, "parsing should succeed") + + result, err := compiler.CompileToYAML(data, "test-workflow.md") + require.NoError(t, err, "compilation should succeed") + + // Find the activation job section + activationIdx := strings.Index(result, "activation:") + require.Greater(t, activationIdx, -1, "activation job should be present") + + agentIdx := strings.Index(result, "agent:") + require.Greater(t, agentIdx, -1, "agent job should be present") + + activationSection := result[activationIdx:agentIdx] + + assert.NotContains(t, activationSection, "Start DIFC proxy", + "activation job should NOT contain proxy start step without guard policy") + assert.NotContains(t, activationSection, "Stop DIFC proxy", + "activation job should NOT contain proxy stop step without guard policy") + }) + + t.Run("buildActivationJob includes proxy steps when guard policy configured", func(t *testing.T) { + c := NewCompiler() + data := &WorkflowData{ + Name: "test-workflow", + Tools: map[string]any{ + "github": map[string]any{"min-integrity": "approved"}, + }, + AI: "copilot", + SandboxConfig: &SandboxConfig{}, + } + ensureDefaultMCPGatewayConfig(data) + + job, err := c.buildActivationJob(data, false, "", "test-workflow.lock.yml") + require.NoError(t, err, "buildActivationJob should succeed") + require.NotNil(t, job, "job should not be nil") + + allSteps := strings.Join(job.Steps, "\n") + assert.Contains(t, allSteps, "Start DIFC proxy for pre-agent gh calls", + "activation job should include proxy start step when guard policy is configured") + assert.Contains(t, allSteps, "Stop DIFC proxy", + "activation job should include proxy stop step when guard policy is configured") + + startIdx := strings.Index(allSteps, "Start DIFC proxy for pre-agent gh calls") + stopIdx := strings.Index(allSteps, "Stop DIFC proxy") + assert.Less(t, startIdx, stopIdx, "Start proxy must come before Stop proxy in activation job") + + // Stop proxy must come before artifact upload + uploadIdx := strings.Index(allSteps, "Upload activation artifact") + require.Greater(t, uploadIdx, -1, "artifact upload step should be present") + assert.Less(t, stopIdx, uploadIdx, "Stop DIFC proxy must come before artifact upload") + }) + + t.Run("buildActivationJob has no proxy steps without guard policy", func(t *testing.T) { + c := NewCompiler() + data := &WorkflowData{ + Name: "test-workflow", + Tools: map[string]any{ + "github": map[string]any{"toolsets": []string{"default"}}, + }, + AI: "copilot", + SandboxConfig: &SandboxConfig{}, + } + ensureDefaultMCPGatewayConfig(data) + + job, err := c.buildActivationJob(data, false, "", "test-workflow.lock.yml") + require.NoError(t, err, "buildActivationJob should succeed") + require.NotNil(t, job, "job should not be nil") + + allSteps := strings.Join(job.Steps, "\n") + assert.NotContains(t, allSteps, "Start DIFC proxy", + "activation job should NOT include proxy start step without guard policy") + assert.NotContains(t, allSteps, "Stop DIFC proxy", + "activation job should NOT include proxy stop step without guard policy") + }) +} From a682950f8c92394bf2165300466a05e73c8ffb4f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 25 Mar 2026 00:57:50 +0000 Subject: [PATCH 3/7] Add warning log when DIFC guard configured but proxy step generation fails Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/dbd57cd2-a5f2-480b-aa12-24198fde2259 --- pkg/workflow/compiler_activation_job.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/workflow/compiler_activation_job.go b/pkg/workflow/compiler_activation_job.go index 772ef1bda7..9617b88a5a 100644 --- a/pkg/workflow/compiler_activation_job.go +++ b/pkg/workflow/compiler_activation_job.go @@ -47,6 +47,8 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate if startStep != "" { steps = append(steps, startStep) difcProxyInjectedInActivation = true + } else { + compilerActivationJobLog.Print("Warning: DIFC guards configured but proxy step generation returned empty; proxy will not be started in activation job") } } From ac14b094c35a0c97642c33fdbacc24f9da8e85d4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 25 Mar 2026 03:43:52 +0000 Subject: [PATCH 4/7] Extend DIFC proxy injection to pre-activation job (on.steps and compiler checks) Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/14d51822-1e33-42dd-a755-9a3c7a18e90a --- pkg/workflow/compiler_difc_proxy.go | 22 ++- pkg/workflow/compiler_difc_proxy_test.go | 176 ++++++++++++++++++++ pkg/workflow/compiler_pre_activation_job.go | 23 +++ 3 files changed, 217 insertions(+), 4 deletions(-) diff --git a/pkg/workflow/compiler_difc_proxy.go b/pkg/workflow/compiler_difc_proxy.go index ff83b059e8..e9edf20403 100644 --- a/pkg/workflow/compiler_difc_proxy.go +++ b/pkg/workflow/compiler_difc_proxy.go @@ -23,16 +23,22 @@ package workflow // lock, label removal) are also made via actions/github-script. The proxy is therefore also // injected into the activation job when DIFC guards are configured. // +// Note: pre-activation job GitHub API calls (membership checks, skip-if queries, rate limit, +// and user-defined on.steps / jobs.pre-activation custom steps) are also made via +// actions/github-script. The proxy is therefore also injected into the pre-activation job +// when DIFC guards are configured. +// // The proxy uses the same container image as the MCP gateway (gh-aw-mcpg) // but runs in "proxy" mode with --guards-mode filter (graceful degradation) // and --tls (required by the gh CLI HTTPS-only constraint). // // Injection conditions: // -// Main job: GitHub tool has explicit guard policies (min-integrity set) AND -// custom steps set GH_TOKEN -// Activation job: GitHub tool has explicit guard policies (min-integrity set) -// Indexing job: GitHub tool has explicit guard policies (min-integrity set) +// Main job: GitHub tool has explicit guard policies (min-integrity set) AND +// custom steps set GH_TOKEN +// Activation job: GitHub tool has explicit guard policies (min-integrity set) +// Pre-activation job: GitHub tool has explicit guard policies (min-integrity set) +// Indexing job: GitHub tool has explicit guard policies (min-integrity set) // // Proxy lifecycle within the main job: // 1. Start proxy — after "Configure gh CLI" step, before custom steps @@ -49,6 +55,14 @@ package workflow // 3. Stop proxy — before activation artifact upload; always runs // (if: always(), continue-on-error: true) // +// Proxy lifecycle within the pre-activation job: +// 1. Start proxy — after setup step, before any github-script step (membership checks, +// rate limit, skip-if queries, and user-defined on.steps / jobs.pre-activation steps) +// 2. All pre-activation github-script steps run with all proxy env vars set +// (GITHUB_API_URL, GITHUB_GRAPHQL_URL, NODE_EXTRA_CA_CERTS, GH_HOST) +// 3. Stop proxy — after all user-defined steps (on.steps and custom steps); always runs +// (if: always(), continue-on-error: true) +// // Proxy lifecycle within the indexing job: // 1. Start proxy — before qmd index-building steps // 2. qmd steps run with all proxy env vars set (GH_HOST, GITHUB_API_URL, GITHUB_GRAPHQL_URL, diff --git a/pkg/workflow/compiler_difc_proxy_test.go b/pkg/workflow/compiler_difc_proxy_test.go index c8c98a56ee..ce59f20eab 100644 --- a/pkg/workflow/compiler_difc_proxy_test.go +++ b/pkg/workflow/compiler_difc_proxy_test.go @@ -781,3 +781,179 @@ Test that DIFC proxy is NOT injected into the activation job when min-integrity "activation job should NOT include proxy stop step without guard policy") }) } + +// TestDIFCProxyInjectedInPreActivationJob verifies that DIFC proxy steps are injected +// into the pre-activation job (which contains user-defined on.steps and compiler-added +// checks) when guard policies are configured. +func TestDIFCProxyInjectedInPreActivationJob(t *testing.T) { + t.Run("proxy injected in pre-activation job when guard policy configured", func(t *testing.T) { + // Note: ParseWorkflowString does not run processOnSectionAndFilters so OnSteps is + // empty in this path. The pre-activation job is still created because the workflow + // uses on.issues (an unsafe event) triggering the membership check. + // The proxy injection is gated on hasDIFCGuardsConfigured which only requires + // min-integrity to be set in the github tool config. + workflow := `--- +on: + issues: + types: [opened] +engine: copilot +tools: + github: + mode: local + toolsets: [default] + min-integrity: approved +permissions: + issues: read + pull-requests: read + contents: read +--- + +# Test Workflow + +Test that DIFC proxy is injected into the pre-activation job when min-integrity is set. +` + compiler := NewCompiler() + data, err := compiler.ParseWorkflowString(workflow, "test-workflow.md") + require.NoError(t, err, "parsing should succeed") + + result, err := compiler.CompileToYAML(data, "test-workflow.md") + require.NoError(t, err, "compilation should succeed") + + // Extract the pre_activation job section from the full YAML. + // Jobs may appear in any order in the map; find "pre_activation:" and take from there. + preActivationMarker := "\n pre_activation:" + preActivationIdx := strings.Index(result, preActivationMarker) + require.Greater(t, preActivationIdx, -1, "pre_activation job should be present in compiled YAML") + + preActivationSection := result[preActivationIdx:] + + // Proxy start must be present in pre_activation section + assert.Contains(t, preActivationSection, "Start DIFC proxy for pre-agent gh calls", + "pre-activation job should contain proxy start step when guard policy is configured") + + // Proxy stop must be present in pre_activation section + assert.Contains(t, preActivationSection, "Stop DIFC proxy", + "pre-activation job should contain proxy stop step when guard policy is configured") + + // Proxy start must come before proxy stop + startIdx := strings.Index(preActivationSection, "Start DIFC proxy for pre-agent gh calls") + stopIdx := strings.Index(preActivationSection, "Stop DIFC proxy") + assert.Less(t, startIdx, stopIdx, "Start proxy must come before Stop proxy in pre-activation job") + }) + + t.Run("proxy not injected in pre-activation job without guard policy", func(t *testing.T) { + workflow := `--- +on: + issues: + types: [opened] +engine: copilot +tools: + github: + mode: local + toolsets: [default] +permissions: + issues: read + pull-requests: read +--- + +# Test Workflow + +Test that DIFC proxy is NOT injected into the pre-activation job when min-integrity is not set. +` + compiler := NewCompiler() + data, err := compiler.ParseWorkflowString(workflow, "test-workflow.md") + require.NoError(t, err, "parsing should succeed") + + result, err := compiler.CompileToYAML(data, "test-workflow.md") + require.NoError(t, err, "compilation should succeed") + + preActivationMarker := "\n pre_activation:" + preActivationIdx := strings.Index(result, preActivationMarker) + require.Greater(t, preActivationIdx, -1, "pre_activation job should be present in compiled YAML") + + preActivationSection := result[preActivationIdx:] + + assert.NotContains(t, preActivationSection, "Start DIFC proxy", + "pre-activation job should NOT contain proxy start step without guard policy") + assert.NotContains(t, preActivationSection, "Stop DIFC proxy", + "pre-activation job should NOT contain proxy stop step without guard policy") + }) + + t.Run("buildPreActivationJob includes proxy steps when guard policy configured with on.steps", func(t *testing.T) { + c := NewCompiler() + data := &WorkflowData{ + Name: "test-workflow", + Tools: map[string]any{ + "github": map[string]any{"min-integrity": "approved"}, + }, + AI: "copilot", + OnSteps: []map[string]any{ + { + "name": "Custom gate check", + "id": "gate", + "uses": "actions/github-script@v7", + "with": map[string]any{ + "script": "core.setOutput('approved', 'true')", + }, + }, + }, + SandboxConfig: &SandboxConfig{}, + } + ensureDefaultMCPGatewayConfig(data) + + job, err := c.buildPreActivationJob(data, false) + require.NoError(t, err, "buildPreActivationJob should succeed") + require.NotNil(t, job, "job should not be nil") + + allSteps := strings.Join(job.Steps, "\n") + assert.Contains(t, allSteps, "Start DIFC proxy for pre-agent gh calls", + "pre-activation job should include proxy start step when guard policy is configured") + assert.Contains(t, allSteps, "Stop DIFC proxy", + "pre-activation job should include proxy stop step when guard policy is configured") + + startIdx := strings.Index(allSteps, "Start DIFC proxy for pre-agent gh calls") + stopIdx := strings.Index(allSteps, "Stop DIFC proxy") + assert.Less(t, startIdx, stopIdx, "Start proxy must come before Stop proxy in pre-activation job") + + // User-defined on.step must be between start and stop + gateIdx := strings.Index(allSteps, "Custom gate check") + require.Greater(t, gateIdx, -1, "on.steps should appear in pre-activation steps") + assert.Less(t, startIdx, gateIdx, "Proxy start must come before user-defined on.steps") + assert.Less(t, gateIdx, stopIdx, "on.steps must come before proxy stop") + }) + + t.Run("buildPreActivationJob has no proxy steps without guard policy", func(t *testing.T) { + c := NewCompiler() + data := &WorkflowData{ + Name: "test-workflow", + Tools: map[string]any{ + "github": map[string]any{"toolsets": []string{"default"}}, + }, + AI: "copilot", + // OnSteps is required to create a valid pre-activation job without + // permission checks or stop-time. + OnSteps: []map[string]any{ + { + "name": "Custom gate check", + "id": "gate", + "uses": "actions/github-script@v7", + "with": map[string]any{ + "script": "core.setOutput('approved', 'true')", + }, + }, + }, + SandboxConfig: &SandboxConfig{}, + } + ensureDefaultMCPGatewayConfig(data) + + job, err := c.buildPreActivationJob(data, false) + require.NoError(t, err, "buildPreActivationJob should succeed") + require.NotNil(t, job, "job should not be nil") + + allSteps := strings.Join(job.Steps, "\n") + assert.NotContains(t, allSteps, "Start DIFC proxy", + "pre-activation job should NOT include proxy start step without guard policy") + assert.NotContains(t, allSteps, "Stop DIFC proxy", + "pre-activation job should NOT include proxy stop step without guard policy") + }) +} diff --git a/pkg/workflow/compiler_pre_activation_job.go b/pkg/workflow/compiler_pre_activation_job.go index c14795a68f..4391976ee9 100644 --- a/pkg/workflow/compiler_pre_activation_job.go +++ b/pkg/workflow/compiler_pre_activation_job.go @@ -41,6 +41,21 @@ func (c *Compiler) buildPreActivationJob(data *WorkflowData, needsPermissionChec // Pre-activation job doesn't need project support (no safe outputs processed here) steps = append(steps, c.generateSetupStep(setupActionRef, SetupActionDestination, false)...) + // Start DIFC proxy immediately after setup and before any github-script or gh CLI call. + // on.steps and jobs.pre-activation custom steps may access GH_TOKEN and make API calls; + // the proxy ensures those calls are integrity-filtered when min-integrity is configured. + var difcProxyInjectedInPreActivation bool + if hasDIFCGuardsConfigured(data) { + compilerActivationJobsLog.Print("DIFC guards configured; injecting proxy start into pre-activation job") + startStep := c.buildStartDIFCProxyStepYAML(data) + if startStep != "" { + steps = append(steps, startStep) + difcProxyInjectedInPreActivation = true + } else { + compilerActivationJobsLog.Print("Warning: DIFC guards configured but proxy step generation returned empty; proxy will not be started in pre-activation job") + } + } + // Determine permissions for pre-activation job var perms *Permissions if needsContentsRead { @@ -252,6 +267,14 @@ func (c *Compiler) buildPreActivationJob(data *WorkflowData, needsPermissionChec } } + // Stop DIFC proxy after all user-defined steps (on.steps and custom steps) have run. + // The stop step always runs (if: always()) to clean up the container and CA cert + // even when earlier steps failed. + if difcProxyInjectedInPreActivation { + compilerActivationJobsLog.Print("DIFC proxy was started; injecting proxy stop step into pre-activation job") + steps = append(steps, buildStopDIFCProxyStepYAML()) + } + // Generate the activated output expression using expression builders var activatedNode ConditionNode From 3c16f0b56f5835e11226b4985f99d97acff0d1fc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Mar 2026 16:39:38 +0000 Subject: [PATCH 5/7] Revert DIFC proxy injection from activation and pre-activation jobs per reviewer request Agent-Logs-Url: https://github.com/github/gh-aw/sessions/3f005084-69aa-4fe2-be12-f5979c050b8c Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- .github/workflows/ace-editor.lock.yml | 1 - .../agent-performance-analyzer.lock.yml | 1 - .../workflows/agent-persona-explorer.lock.yml | 1 - .../agentic-observability-kit.lock.yml | 1 - .github/workflows/ai-moderator.lock.yml | 1 - .github/workflows/archie.lock.yml | 1 - .github/workflows/artifacts-summary.lock.yml | 1 - .github/workflows/audit-workflows.lock.yml | 1 - .github/workflows/auto-triage-issues.lock.yml | 1 - .github/workflows/blog-auditor.lock.yml | 1 - .github/workflows/bot-detection.lock.yml | 1 - .github/workflows/brave.lock.yml | 1 - .../breaking-change-checker.lock.yml | 1 - .github/workflows/changeset.lock.yml | 1 - .github/workflows/ci-coach.lock.yml | 1 - .github/workflows/ci-doctor.lock.yml | 1 - .../claude-code-user-docs-review.lock.yml | 1 - .../cli-consistency-checker.lock.yml | 1 - .../workflows/cli-version-checker.lock.yml | 1 - .github/workflows/cloclo.lock.yml | 1 - .../workflows/code-scanning-fixer.lock.yml | 1 - .github/workflows/code-simplifier.lock.yml | 1 - .../codex-github-remote-mcp-test.lock.yml | 1 - .../commit-changes-analyzer.lock.yml | 1 - .../constraint-solving-potd.lock.yml | 1 - .github/workflows/contribution-check.lock.yml | 13 +- .../workflows/copilot-agent-analysis.lock.yml | 1 - .../copilot-cli-deep-research.lock.yml | 1 - .../copilot-pr-merged-report.lock.yml | 1 - .../copilot-pr-nlp-analysis.lock.yml | 1 - .../copilot-pr-prompt-analysis.lock.yml | 1 - .../copilot-session-insights.lock.yml | 1 - .github/workflows/craft.lock.yml | 1 - .../daily-architecture-diagram.lock.yml | 1 - .../daily-assign-issue-to-user.lock.yml | 1 - .github/workflows/daily-choice-test.lock.yml | 1 - .../workflows/daily-cli-performance.lock.yml | 1 - .../workflows/daily-cli-tools-tester.lock.yml | 1 - .github/workflows/daily-code-metrics.lock.yml | 1 - .../daily-community-attribution.lock.yml | 1 - .../workflows/daily-compiler-quality.lock.yml | 1 - .../daily-copilot-token-report.lock.yml | 1 - .github/workflows/daily-doc-healer.lock.yml | 1 - .github/workflows/daily-doc-updater.lock.yml | 1 - .github/workflows/daily-file-diet.lock.yml | 1 - .../workflows/daily-firewall-report.lock.yml | 1 - .../workflows/daily-function-namer.lock.yml | 1 - .../daily-integrity-analysis.lock.yml | 1 - .../workflows/daily-issues-report.lock.yml | 13 +- .../daily-malicious-code-scan.lock.yml | 1 - .../daily-mcp-concurrency-analysis.lock.yml | 1 - .../daily-multi-device-docs-tester.lock.yml | 1 - .github/workflows/daily-news.lock.yml | 1 - .../daily-observability-report.lock.yml | 1 - .../daily-performance-summary.lock.yml | 1 - .github/workflows/daily-regulatory.lock.yml | 1 - .../daily-rendering-scripts-verifier.lock.yml | 1 - .../workflows/daily-repo-chronicle.lock.yml | 1 - .../daily-safe-output-integrator.lock.yml | 1 - .../daily-safe-output-optimizer.lock.yml | 1 - .../daily-safe-outputs-conformance.lock.yml | 1 - .../workflows/daily-secrets-analysis.lock.yml | 1 - .../daily-security-red-team.lock.yml | 1 - .github/workflows/daily-semgrep-scan.lock.yml | 1 - .../daily-syntax-error-quality.lock.yml | 1 - .../daily-team-evolution-insights.lock.yml | 1 - .github/workflows/daily-team-status.lock.yml | 1 - .../daily-testify-uber-super-expert.lock.yml | 1 - .../workflows/daily-workflow-updater.lock.yml | 1 - .github/workflows/dead-code-remover.lock.yml | 1 - .github/workflows/deep-report.lock.yml | 1 - .github/workflows/delight.lock.yml | 1 - .github/workflows/dependabot-burner.lock.yml | 1 - .../workflows/dependabot-go-checker.lock.yml | 1 - .github/workflows/dev-hawk.lock.yml | 1 - .github/workflows/dev.lock.yml | 1 - .../developer-docs-consolidator.lock.yml | 1 - .github/workflows/dictation-prompt.lock.yml | 1 - .../workflows/discussion-task-miner.lock.yml | 13 +- .github/workflows/docs-noob-tester.lock.yml | 1 - .github/workflows/draft-pr-cleanup.lock.yml | 1 - .../duplicate-code-detector.lock.yml | 1 - .../example-permissions-warning.lock.yml | 1 - .../example-workflow-analyzer.lock.yml | 1 - .github/workflows/firewall-escape.lock.yml | 1 - .github/workflows/firewall.lock.yml | 1 - .../workflows/functional-pragmatist.lock.yml | 1 - .../github-mcp-structural-analysis.lock.yml | 1 - .../github-mcp-tools-report.lock.yml | 1 - .../github-remote-mcp-auth-test.lock.yml | 1 - .../workflows/glossary-maintainer.lock.yml | 1 - .github/workflows/go-fan.lock.yml | 1 - .github/workflows/go-logger.lock.yml | 1 - .../workflows/go-pattern-detector.lock.yml | 1 - .github/workflows/gpclean.lock.yml | 1 - .github/workflows/grumpy-reviewer.lock.yml | 13 +- .github/workflows/hourly-ci-cleaner.lock.yml | 1 - .../workflows/instructions-janitor.lock.yml | 1 - .github/workflows/issue-arborist.lock.yml | 13 +- .github/workflows/issue-monster.lock.yml | 13 +- .github/workflows/issue-triage-agent.lock.yml | 13 +- .github/workflows/jsweep.lock.yml | 1 - .../workflows/layout-spec-maintainer.lock.yml | 1 - .github/workflows/lockfile-stats.lock.yml | 1 - .github/workflows/mcp-inspector.lock.yml | 1 - .github/workflows/mergefest.lock.yml | 1 - .github/workflows/metrics-collector.lock.yml | 1 - .../workflows/notion-issue-summary.lock.yml | 1 - .github/workflows/org-health-report.lock.yml | 13 +- .github/workflows/pdf-summary.lock.yml | 1 - .github/workflows/plan.lock.yml | 13 +- .github/workflows/poem-bot.lock.yml | 1 - .github/workflows/portfolio-analyst.lock.yml | 1 - .../workflows/pr-nitpick-reviewer.lock.yml | 1 - .github/workflows/pr-triage-agent.lock.yml | 13 +- .../prompt-clustering-analysis.lock.yml | 1 - .github/workflows/python-data-charts.lock.yml | 1 - .github/workflows/q.lock.yml | 13 +- .github/workflows/refiner.lock.yml | 13 +- .github/workflows/release.lock.yml | 1 - .../workflows/repo-audit-analyzer.lock.yml | 1 - .github/workflows/repo-tree-map.lock.yml | 1 - .../repository-quality-improver.lock.yml | 1 - .github/workflows/research.lock.yml | 1 - .github/workflows/safe-output-health.lock.yml | 1 - .../schema-consistency-checker.lock.yml | 1 - .../schema-feature-coverage.lock.yml | 1 - .github/workflows/scout.lock.yml | 13 +- .../workflows/security-compliance.lock.yml | 1 - .github/workflows/security-review.lock.yml | 1 - .../semantic-function-refactor.lock.yml | 1 - .github/workflows/sergo.lock.yml | 1 - .../workflows/slide-deck-maintainer.lock.yml | 1 - .../workflows/smoke-agent-all-merged.lock.yml | 13 +- .../workflows/smoke-agent-all-none.lock.yml | 13 +- .../smoke-agent-public-approved.lock.yml | 13 +- .../smoke-agent-public-none.lock.yml | 13 +- .../smoke-agent-scoped-approved.lock.yml | 13 +- .../workflows/smoke-call-workflow.lock.yml | 1 - .github/workflows/smoke-claude.lock.yml | 1 - .github/workflows/smoke-codex.lock.yml | 1 - .github/workflows/smoke-copilot-arm.lock.yml | 1 - .github/workflows/smoke-copilot.lock.yml | 1 - .../smoke-create-cross-repo-pr.lock.yml | 1 - .github/workflows/smoke-gemini.lock.yml | 1 - .github/workflows/smoke-multi-pr.lock.yml | 1 - .github/workflows/smoke-project.lock.yml | 1 - .github/workflows/smoke-temporary-id.lock.yml | 1 - .github/workflows/smoke-test-tools.lock.yml | 1 - .../smoke-update-cross-repo-pr.lock.yml | 1 - .../smoke-workflow-call-with-inputs.lock.yml | 1 - .../workflows/smoke-workflow-call.lock.yml | 1 - .../workflows/stale-repo-identifier.lock.yml | 13 +- .../workflows/static-analysis-report.lock.yml | 1 - .../workflows/step-name-alignment.lock.yml | 1 - .github/workflows/sub-issue-closer.lock.yml | 1 - .github/workflows/super-linter.lock.yml | 1 - .../workflows/technical-doc-writer.lock.yml | 1 - .github/workflows/terminal-stylist.lock.yml | 1 - .../test-create-pr-error-handling.lock.yml | 1 - .github/workflows/test-dispatcher.lock.yml | 1 - .../test-project-url-default.lock.yml | 1 - .github/workflows/test-workflow.lock.yml | 1 - .github/workflows/tidy.lock.yml | 1 - .github/workflows/typist.lock.yml | 1 - .../workflows/ubuntu-image-analyzer.lock.yml | 1 - .github/workflows/unbloat-docs.lock.yml | 1 - .github/workflows/update-astro.lock.yml | 1 - .github/workflows/video-analyzer.lock.yml | 1 - .../weekly-blog-post-writer.lock.yml | 13 +- .../weekly-editors-health-check.lock.yml | 1 - .../workflows/weekly-issue-summary.lock.yml | 13 +- .../weekly-safe-outputs-spec-review.lock.yml | 13 +- .github/workflows/workflow-generator.lock.yml | 13 +- .../workflow-health-manager.lock.yml | 1 - .../workflows/workflow-normalizer.lock.yml | 1 - .../workflow-skill-extractor.lock.yml | 1 - pkg/workflow/compiler_activation_job.go | 37 +- pkg/workflow/compiler_difc_proxy.go | 41 +-- pkg/workflow/compiler_difc_proxy_test.go | 329 +----------------- pkg/workflow/compiler_pre_activation_job.go | 23 -- 181 files changed, 30 insertions(+), 853 deletions(-) diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index ced9515527..fbbb9a0192 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -121,7 +121,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index fc051ee676..5c9bd959a1 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -104,7 +104,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 7c8e6f3b7b..4ed8b0aedb 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -110,7 +110,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/agentic-observability-kit.lock.yml b/.github/workflows/agentic-observability-kit.lock.yml index cdef8b196e..2b16fec8e5 100644 --- a/.github/workflows/agentic-observability-kit.lock.yml +++ b/.github/workflows/agentic-observability-kit.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 887d85ad42..0f5df6bf78 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -127,7 +127,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 06a3992d12..f713cd053d 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -129,7 +129,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 3411cb076e..388e979c25 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -103,7 +103,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 6f36b43e0d..e4d8a14322 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -110,7 +110,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 8830b3dfe8..bce81f1a89 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -111,7 +111,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index feaec35f04..fc7187fcac 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index 71e5b66345..a55a414a0e 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -105,7 +105,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index b22cf0c93b..d415497d04 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -119,7 +119,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index f4ea1f6056..352cbb61aa 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -105,7 +105,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index d9d893ffd5..e67e0c15ff 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -139,7 +139,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index f37df7de9b..cd43eca953 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -104,7 +104,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 62657155ad..470cd0ad40 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -132,7 +132,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index c85528d575..ec06d1b0b9 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index d051148e30..8377b375b7 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -97,7 +97,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 22641b413f..365231fe31 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 807134861b..e8750d89b9 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -152,7 +152,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 3b9c12de1f..b5cfa7a7eb 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -102,7 +102,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 87cf22172a..620c77b2ab 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -112,7 +112,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 93b41f06b6..1cc528695c 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -102,7 +102,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 218a0d4fcf..100332d432 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index c0f6c0e042..15950307ec 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -103,7 +103,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index be24883695..a389783fb1 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -69,11 +69,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"none","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +84,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -111,7 +106,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -246,10 +240,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -788,7 +778,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 80478c0207..97e965fa4e 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -111,7 +111,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 11fa598526..60fea7cdb8 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -102,7 +102,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index d633f4701f..7810c36c46 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -105,7 +105,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 1885feca69..2970298a5b 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -106,7 +106,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 034a895031..4b46543eae 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -105,7 +105,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 3acf99898e..062aa7049d 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -113,7 +113,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 72e98a8215..d08efad3a4 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -116,7 +116,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 5667aba4df..40be6fbfdf 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -102,7 +102,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index cbbec83b0a..22ec4717cc 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -97,7 +97,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index c845f76cef..ea6017918f 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -103,7 +103,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 390e17f053..9191bc37fa 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -130,7 +130,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 80b0878a91..6ab120f1f6 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 12836cc0f9..c183f80680 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -110,7 +110,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index f7d1d84957..25842e810d 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index d62086e5fb..25f44fddc6 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -103,7 +103,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 5c171e42eb..c87ac62492 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -103,7 +103,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 41a84e9317..d53f697196 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 79dcc307cb..72b071bb08 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 6b6e5a00f1..6ec16d125e 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -107,7 +107,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 2928d104a4..58ec7b5cc1 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index f49b9bf1f2..863574c24e 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-integrity-analysis.lock.yml b/.github/workflows/daily-integrity-analysis.lock.yml index 69516fe42e..453572d72b 100644 --- a/.github/workflows/daily-integrity-analysis.lock.yml +++ b/.github/workflows/daily-integrity-analysis.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 7e86b64a33..ba8b07c81d 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -78,11 +78,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -98,7 +93,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","python"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -121,7 +116,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -282,10 +276,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -891,7 +881,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 250a29dd96..79c9565d83 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -102,7 +102,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index de2dec5df5..4338c6d124 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -102,7 +102,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 1171855953..80be32adeb 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -113,7 +113,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index b886c2a6ce..08691cf60c 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -105,7 +105,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 78f4429d92..75e034ef15 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -111,7 +111,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index a31bd8fa14..87274a9c9b 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -110,7 +110,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index c3a11b8e38..58194d30e2 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 307ac067b0..2ed397cdc4 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -112,7 +112,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 56f85e386d..1bf80cb883 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -103,7 +103,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-safe-output-integrator.lock.yml b/.github/workflows/daily-safe-output-integrator.lock.yml index 7a774013ca..8163e93fae 100644 --- a/.github/workflows/daily-safe-output-integrator.lock.yml +++ b/.github/workflows/daily-safe-output-integrator.lock.yml @@ -102,7 +102,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 242722ecc0..9600587c91 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -114,7 +114,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 07f4d90370..8c11bc3964 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index bca1ae90b9..59834a4424 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -102,7 +102,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index b66c6a5a74..6ddea2194a 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 27bb487a43..2bbef58873 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 2a7f619a09..a74c45651c 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -102,7 +102,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index b9a641e2b1..4d417059a6 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 2f8854f0ec..bad2d9c4c7 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -117,7 +117,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 98f39106b6..f34dccb926 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 583c0ffb29..8bcf733954 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -98,7 +98,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index abeb4ad064..d1f33b6be9 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -105,7 +105,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 832fa5156c..33e8a8c5b4 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -111,7 +111,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 31a9af4442..bb9b51609a 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -103,7 +103,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 894e3ad78c..ad12a084ea 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 8af396237c..b26474ba32 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -107,7 +107,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 8c614cc5e8..58f840c74c 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -102,7 +102,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 63956bb365..139282a69c 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -134,7 +134,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 095f575269..b0beccaeba 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -110,7 +110,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index df41bef7e4..776bba3b73 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -102,7 +102,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index eb4d6f99a4..695d62dd5d 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -71,11 +71,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +86,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -108,7 +103,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -258,10 +252,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -825,7 +815,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 1210fe9503..1732cad78a 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -103,7 +103,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 6581a1ef4c..3ffc6f0e50 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -98,7 +98,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 290247d3b9..f921182b97 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -110,7 +110,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index 6061b37f2c..8b85392b31 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -101,7 +101,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 3546f8bd74..35707e86c2 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 3800db11f2..2aa916104e 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -111,7 +111,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index 19fd008532..d57f9fb9f7 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -101,7 +101,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index ac1e727d3a..b509b35162 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -107,7 +107,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index b695ca9a2e..bcec193ba2 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index d594c3a792..0a8712e635 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 1a7af91d71..e3d60d17aa 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -104,7 +104,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index c8cf37a1b1..592a259736 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -110,7 +110,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index fb2e97578d..b927a9d5dd 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index a8c6eb4b1a..5855a009ef 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 32e3cf4633..6107dc6961 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 4378639e2e..69a4281c0a 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 58c0c2e451..015e9ce518 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -82,11 +82,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -102,7 +97,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -138,7 +133,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -316,10 +310,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -857,7 +847,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 8f0fd201e3..bbec13c221 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index bc618b6db4..706dc8559f 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -104,7 +104,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 3ac6e06af3..fd4f708b64 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -72,11 +72,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -92,7 +87,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -115,7 +110,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -252,10 +246,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -818,7 +808,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 2424215696..5c971120d7 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -435,11 +435,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -455,7 +450,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -477,7 +472,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -625,10 +619,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1137,7 +1127,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index eb70547746..70b8147608 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -69,11 +69,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -89,7 +84,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -111,7 +106,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -245,10 +239,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -737,7 +727,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 870c09c2c8..104949773f 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -104,7 +104,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index cef2171f2c..d285e14166 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -105,7 +105,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 7ed8ef4a06..4fa505fd43 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 3177e2ddf9..b816aab6a3 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -123,7 +123,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index e0cbdd52eb..6282144931 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -121,7 +121,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index df3b7fcf90..24a5a468d5 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -106,7 +106,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index f407caca16..e79a788b7e 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index cd59bc8d4c..ecce83101b 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -73,11 +73,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -93,7 +88,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","python"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -115,7 +110,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -263,10 +257,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -827,7 +817,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 51008e365c..daf6d5737e 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -146,7 +146,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 1dc3ccb91a..b316d65081 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -75,11 +75,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"none","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -95,7 +90,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -130,7 +125,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -298,10 +292,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -829,7 +819,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 5c02a03d31..f619477e8e 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -140,7 +140,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 0431474d13..fdb1c64ec4 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -110,7 +110,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index d3cf86a6f2..7fcd97706a 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -130,7 +130,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 96638a291e..7098d18a92 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -66,11 +66,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -86,7 +81,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -108,7 +103,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -254,10 +248,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -815,7 +805,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 659f32d9b3..4fc1a74209 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -114,7 +114,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index e1d0fa5d38..7d0169719b 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -107,7 +107,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index d5a7cc9705..5c54e46118 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -101,11 +101,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"none","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -121,7 +116,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -156,7 +151,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -345,10 +339,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -996,7 +986,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index dcb8912f23..8d3034ed7f 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -82,11 +82,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -102,7 +97,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -124,7 +119,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -275,10 +269,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -798,7 +788,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 3eb40b03b6..dcae90c027 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -119,7 +119,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index f563fa8237..89de36931f 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -110,7 +110,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index cd5df06f7d..6b0251ed76 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index e2f2b6b812..6c5c1473a4 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index bca61dbe5f..e02601d3d9 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -110,7 +110,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 46abf32363..8c18aaaa56 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -110,7 +110,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 6fa999138f..4b0908fc49 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/schema-feature-coverage.lock.yml b/.github/workflows/schema-feature-coverage.lock.yml index 9ce4d93cd8..e83df730a8 100644 --- a/.github/workflows/schema-feature-coverage.lock.yml +++ b/.github/workflows/schema-feature-coverage.lock.yml @@ -105,7 +105,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index c7d527e0d4..68eff88792 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -125,11 +125,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"none","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -145,7 +140,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -180,7 +175,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -388,10 +382,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -1063,7 +1053,6 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index ed4f6c066a..eb5eead270 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -112,7 +112,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 2ceaa94572..43cdcf299e 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -129,7 +129,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 4a62e48dda..4314ad1b1f 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 6a895c44f7..1b6e64324c 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 37d4d029c5..5088742e10 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -114,7 +114,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index 0f4733fbbc..53a06202da 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -81,11 +81,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"merged","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -101,7 +96,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -124,7 +119,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -279,10 +273,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -766,7 +756,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 90198bbe96..ca41d24b3c 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -81,11 +81,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"none","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -101,7 +96,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -124,7 +119,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -279,10 +273,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -766,7 +756,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 7f223d5421..6ec20cac95 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -81,11 +81,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"public"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -101,7 +96,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -124,7 +119,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -279,10 +273,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -792,7 +782,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index b9b7285326..9de93114cc 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -81,11 +81,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"none","repos":"public"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -101,7 +96,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -124,7 +119,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -279,10 +273,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -766,7 +756,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index c9b2afbd42..0cd569ea47 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -81,11 +81,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":["github/gh-aw","github/*"]}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -101,7 +96,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -124,7 +119,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -279,10 +273,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -770,7 +760,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index 2d470abeaf..1b94b767fb 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -115,7 +115,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 307a6ea876..07a43e3eb4 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -146,7 +146,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index d688b736b0..aaa6aa6d7a 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -139,7 +139,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index f62a24304f..08ae2207aa 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -137,7 +137,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 8e559c5137..0784a02af5 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -139,7 +139,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 02bf349ce6..74c0f2b493 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -114,7 +114,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 551c474aa9..b71a88aba8 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -138,7 +138,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 1262351235..c4ded9a87f 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -133,7 +133,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index ad7f321b95..64a0462a81 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -131,7 +131,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index da899631be..2e207a733c 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -131,7 +131,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index d7fad7de48..c78caf32b8 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -120,7 +120,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 6627bb0308..97d405f877 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -114,7 +114,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index 9984aa01b4..b3451baf61 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -149,7 +149,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 70096b8e2a..a364533caf 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -152,7 +152,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 663ae02c4b..bf726cd525 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -81,11 +81,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -101,7 +96,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github","python"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -123,7 +118,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -280,10 +274,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -893,7 +883,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 6391eae53c..e01d4fee06 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 60abd02e29..2797255089 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -104,7 +104,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 0ba4581139..2662df8a07 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -104,7 +104,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 80bd7472ea..2c8e832d50 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -107,7 +107,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 8a14418428..8f874870bd 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -111,7 +111,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 4174f86de2..1f3b830400 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index ead91bd9d6..655a6c7b93 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -101,7 +101,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index d294fa01cc..f1379a9f2e 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -100,7 +100,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index b766ba8a9d..3da1691b2d 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -100,7 +100,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index 19bfeedc1a..19dcf9a1ae 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -104,7 +104,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index a57c894a14..7398053c00 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -139,7 +139,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 4766509120..3e713b2b01 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 1222ef4202..7115e8586d 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -111,7 +111,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index a9ac2e9ac7..a66dc21604 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -136,7 +136,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/update-astro.lock.yml b/.github/workflows/update-astro.lock.yml index 9b659ffa69..725c10d4df 100644 --- a/.github/workflows/update-astro.lock.yml +++ b/.github/workflows/update-astro.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index b58a0b62ea..ba4c0d9604 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -109,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 01c86563d6..7cedc9a4cd 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -71,11 +71,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":["github/gh-aw"]}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -91,7 +86,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -113,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -270,10 +264,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -928,7 +918,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 57bff2a964..ce1567466f 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -104,7 +104,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index bddedb57c8..f04c2c01fa 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -72,11 +72,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -92,7 +87,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","node","python"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -114,7 +109,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -263,10 +257,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -807,7 +797,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 9236492725..d2e2912842 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -67,11 +67,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -87,7 +82,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","github"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -109,7 +104,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -242,10 +236,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -747,7 +737,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 79545a39c4..bf3b0fe75d 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -70,11 +70,6 @@ jobs: uses: ./actions/setup with: destination: ${{ runner.temp }}/gh-aw/actions - - name: Start DIFC proxy for pre-agent gh calls - env: - GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - run: | - bash ${RUNNER_TEMP}/gh-aw/actions/start_difc_proxy.sh '{"allow-only":{"min-integrity":"approved","repos":"all"}}' 'ghcr.io/github/gh-aw-mcpg:v0.2.6' - name: Generate agentic run info id: generate_aw_info env: @@ -90,7 +85,7 @@ jobs: GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" GH_AW_INFO_AWF_VERSION: "v0.25.0" - GH_AW_INFO_AWMG_VERSION: "v0.2.6" + GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -125,7 +120,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps @@ -276,10 +270,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt # poutine:ignore untrusted_checkout_exec run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - - name: Stop DIFC proxy - if: always() - continue-on-error: true - run: bash ${RUNNER_TEMP}/gh-aw/actions/stop_difc_proxy.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 @@ -824,7 +814,6 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ - !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 38393d9e86..f501584b6d 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -110,7 +110,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 8b6beed75f..84fd17c5ab 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 8234656f87..82a79a82e0 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -108,7 +108,6 @@ jobs: sparse-checkout: | .github .agents - actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/pkg/workflow/compiler_activation_job.go b/pkg/workflow/compiler_activation_job.go index 9ac69485af..fb7808c531 100644 --- a/pkg/workflow/compiler_activation_job.go +++ b/pkg/workflow/compiler_activation_job.go @@ -35,23 +35,6 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate // Activation job doesn't need project support (no safe outputs processed here) steps = append(steps, c.generateSetupStep(setupActionRef, SetupActionDestination, false)...) - // Start DIFC proxy early in the activation job, immediately after setup and before any - // actions/github-script or gh CLI step. The proxy startup script sets GITHUB_API_URL, - // GITHUB_GRAPHQL_URL, NODE_EXTRA_CA_CERTS, and GH_HOST via $GITHUB_ENV so all subsequent - // github-script Octokit calls are routed through integrity filtering automatically. - // We track whether the proxy was actually started so we only emit the stop step when needed. - var difcProxyInjectedInActivation bool - if hasDIFCGuardsConfigured(data) { - compilerActivationJobLog.Print("DIFC guards configured; injecting proxy start into activation job") - startStep := c.buildStartDIFCProxyStepYAML(data) - if startStep != "" { - steps = append(steps, startStep) - difcProxyInjectedInActivation = true - } else { - compilerActivationJobLog.Print("Warning: DIFC guards configured but proxy step generation returned empty; proxy will not be started in activation job") - } - } - // When a workflow_call trigger is present, resolve the platform (host) repository before // generating aw_info so that target_repo can be included in aw_info.json and used by // the checkout step. This is necessary for event-driven relays (e.g. on: issue_comment) @@ -468,13 +451,6 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate // That job builds the index and saves/restores it via the GitHub Actions cache, and the agent job // restores the index using actions/cache/restore. - // Stop DIFC proxy before artifact upload. The stop step always runs (if: always()) to - // ensure the container and CA cert are cleaned up even when earlier steps failed. - if difcProxyInjectedInActivation { - compilerActivationJobLog.Print("DIFC proxy was started; injecting proxy stop step into activation job") - steps = append(steps, buildStopDIFCProxyStepYAML()) - } - // Upload aw_info.json and prompt.txt as the activation artifact for the agent job to download. // In workflow_call context the artifact is prefixed to avoid name clashes when multiple callers // invoke the same reusable workflow within the same parent workflow run. @@ -637,16 +613,6 @@ func (c *Compiler) generateCheckoutGitHubFolderForActivation(data *WorkflowData) // // Skip when inlined-imports is enabled: content is embedded at compile time and no // runtime-import macros are used, so the callee's .md files are not needed at runtime. - // In dev mode the action is referenced via a local path (./actions/setup), so its files - // live in the workspace. Without including actions/setup in the sparse-checkout, this second - // checkout would remove that directory and the runner's post-step would fail to find action.yml. - // In other modes (release, script, action) the action is fetched remotely into the - // runner's action cache and is not affected by workspace checkouts. - devExtraPaths := []string(nil) - if c.actionMode.IsDev() { - devExtraPaths = []string{"actions/setup"} - } - cm := NewCheckoutManager(nil) if data != nil && hasWorkflowCallTrigger(data.On) && !data.InlinedImports { compilerActivationJobLog.Print("Adding cross-repo-aware .github checkout for workflow_call trigger") @@ -656,7 +622,6 @@ func (c *Compiler) generateCheckoutGitHubFolderForActivation(data *WorkflowData) cm.GetCrossRepoTargetRepo(), cm.GetCrossRepoTargetRef(), GetActionPin, - devExtraPaths..., ) } @@ -664,5 +629,5 @@ func (c *Compiler) generateCheckoutGitHubFolderForActivation(data *WorkflowData) // This is needed for runtime imports during prompt generation // sparse-checkout-cone-mode: true ensures subdirectories under .github/ are recursively included compilerActivationJobLog.Print("Adding .github and .agents sparse checkout in activation job") - return cm.GenerateGitHubFolderCheckoutStep("", "", GetActionPin, devExtraPaths...) + return cm.GenerateGitHubFolderCheckoutStep("", "", GetActionPin) } diff --git a/pkg/workflow/compiler_difc_proxy.go b/pkg/workflow/compiler_difc_proxy.go index 029103ad57..c7a2846b23 100644 --- a/pkg/workflow/compiler_difc_proxy.go +++ b/pkg/workflow/compiler_difc_proxy.go @@ -19,26 +19,15 @@ package workflow // addition to GH_HOST, so it intercepts Octokit calls as well. Proxy wrapping is therefore // also injected around qmd indexing steps when DIFC guards are configured. // -// Note: activation job GitHub API calls (reactions, timestamp checks, body fetch, comments, -// lock, label removal) are also made via actions/github-script. The proxy is therefore also -// injected into the activation job when DIFC guards are configured. -// -// Note: pre-activation job GitHub API calls (membership checks, skip-if queries, rate limit, -// and user-defined on.steps / jobs.pre-activation custom steps) are also made via -// actions/github-script. The proxy is therefore also injected into the pre-activation job -// when DIFC guards are configured. -// // The proxy uses the same container image as the MCP gateway (gh-aw-mcpg) // but runs in "proxy" mode with --guards-mode filter (graceful degradation) // and --tls (required by the gh CLI HTTPS-only constraint). // // Injection conditions: // -// Main job: GitHub tool has explicit guard policies (min-integrity set) AND -// custom steps set GH_TOKEN -// Activation job: GitHub tool has explicit guard policies (min-integrity set) -// Pre-activation job: GitHub tool has explicit guard policies (min-integrity set) -// Indexing job: GitHub tool has explicit guard policies (min-integrity set) +// Main job: GitHub tool has explicit guard policies (min-integrity set) AND +// custom steps set GH_TOKEN +// Indexing job: GitHub tool has explicit guard policies (min-integrity set) // // Proxy lifecycle within the main job: // 1. Start proxy — after "Configure gh CLI" step, before custom steps @@ -47,22 +36,6 @@ package workflow // 3. Stop proxy — before MCP gateway starts (generateMCPSetup); always runs // even if earlier steps failed (if: always(), continue-on-error: true) // -// Proxy lifecycle within the activation job: -// 1. Start proxy — after setup step, before any actions/github-script or gh CLI step -// 2. All activation github-script steps run with all proxy env vars set -// (GITHUB_API_URL, GITHUB_GRAPHQL_URL, NODE_EXTRA_CA_CERTS, GH_HOST); -// Octokit calls in actions/github-script are intercepted automatically -// 3. Stop proxy — before activation artifact upload; always runs -// (if: always(), continue-on-error: true) -// -// Proxy lifecycle within the pre-activation job: -// 1. Start proxy — after setup step, before any github-script step (membership checks, -// rate limit, skip-if queries, and user-defined on.steps / jobs.pre-activation steps) -// 2. All pre-activation github-script steps run with all proxy env vars set -// (GITHUB_API_URL, GITHUB_GRAPHQL_URL, NODE_EXTRA_CA_CERTS, GH_HOST) -// 3. Stop proxy — after all user-defined steps (on.steps and custom steps); always runs -// (if: always(), continue-on-error: true) -// // Proxy lifecycle within the indexing job: // 1. Start proxy — before qmd index-building steps // 2. qmd steps run with all proxy env vars set (GH_HOST, GITHUB_API_URL, GITHUB_GRAPHQL_URL, @@ -303,11 +276,5 @@ func difcProxyLogPaths(data *WorkflowData) []string { } // proxy-logs/ contains TLS certs and container stderr from the proxy // (mcp-logs/ is already collected as part of standard MCP logging) - // Exclude proxy-tls/ because it contains the TLS private key (server.key) which is - // created by the Docker container with root-only permissions, causing artifact upload - // to fail with EACCES. The private key is ephemeral and should not be uploaded. - return []string{ - "/tmp/gh-aw/proxy-logs/", - "!/tmp/gh-aw/proxy-logs/proxy-tls/", - } + return []string{"/tmp/gh-aw/proxy-logs/"} } diff --git a/pkg/workflow/compiler_difc_proxy_test.go b/pkg/workflow/compiler_difc_proxy_test.go index ab9edbcf72..98823ec0cc 100644 --- a/pkg/workflow/compiler_difc_proxy_test.go +++ b/pkg/workflow/compiler_difc_proxy_test.go @@ -362,9 +362,8 @@ func TestDIFCProxyLogPaths(t *testing.T) { CustomSteps: "steps:\n - name: Fetch\n env:\n GH_TOKEN: ${{ github.token }}\n run: gh issue list", } paths := difcProxyLogPaths(data) - require.Len(t, paths, 2, "should return inclusion path and proxy-tls exclusion path") - assert.Contains(t, paths[0], "proxy-logs", "first path should include proxy-logs directory") - assert.Equal(t, "!/tmp/gh-aw/proxy-logs/proxy-tls/", paths[1], "second path should exclude proxy-tls directory") + require.Len(t, paths, 1, "should return exactly one path") + assert.Contains(t, paths[0], "proxy-logs", "path should include proxy-logs directory") }) } @@ -634,327 +633,3 @@ func TestDIFCProxyInjectedInIndexingJob(t *testing.T) { "indexing job should NOT include proxy stop step without guard policy") }) } - -// TestDIFCProxyInjectedInActivationJob verifies that DIFC proxy steps are injected -// into the activation job when guard policies are configured. -func TestDIFCProxyInjectedInActivationJob(t *testing.T) { - t.Run("proxy injected in activation job when guard policy configured", func(t *testing.T) { - workflow := `--- -on: issues -engine: copilot -tools: - github: - mode: local - toolsets: [default] - min-integrity: approved ---- - -# Test Workflow - -Test that DIFC proxy is injected into the activation job when min-integrity is set. -` - compiler := NewCompiler() - data, err := compiler.ParseWorkflowString(workflow, "test-workflow.md") - require.NoError(t, err, "parsing should succeed") - - result, err := compiler.CompileToYAML(data, "test-workflow.md") - require.NoError(t, err, "compilation should succeed") - - // Find the activation job section - activationIdx := strings.Index(result, "activation:") - require.Greater(t, activationIdx, -1, "activation job should be present") - - // Find the agent job section (to bound our search to the activation job) - agentIdx := strings.Index(result, "agent:") - require.Greater(t, agentIdx, -1, "agent job should be present") - - // Extract activation job content (before agent job) - activationSection := result[activationIdx:agentIdx] - - // Proxy start must be present in activation job - assert.Contains(t, activationSection, "Start DIFC proxy for pre-agent gh calls", - "activation job should contain proxy start step when guard policy is configured") - - // Proxy stop must be present in activation job - assert.Contains(t, activationSection, "Stop DIFC proxy", - "activation job should contain proxy stop step when guard policy is configured") - - // Proxy start must come before proxy stop - startIdx := strings.Index(activationSection, "Start DIFC proxy for pre-agent gh calls") - stopIdx := strings.Index(activationSection, "Stop DIFC proxy") - assert.Less(t, startIdx, stopIdx, "Start proxy must come before Stop proxy in activation job") - - // Proxy start must come before the first github-script step (add reaction, timestamp check, etc.) - // Verify start comes before the "Upload activation artifact" step - uploadIdx := strings.Index(activationSection, "Upload activation artifact") - require.Greater(t, uploadIdx, -1, "activation artifact upload step should be present") - assert.Less(t, stopIdx, uploadIdx, "Stop DIFC proxy must come before artifact upload") - }) - - t.Run("proxy not injected in activation job without guard policy", func(t *testing.T) { - workflow := `--- -on: issues -engine: copilot -tools: - github: - mode: local - toolsets: [default] ---- - -# Test Workflow - -Test that DIFC proxy is NOT injected into the activation job when min-integrity is not set. -` - compiler := NewCompiler() - data, err := compiler.ParseWorkflowString(workflow, "test-workflow.md") - require.NoError(t, err, "parsing should succeed") - - result, err := compiler.CompileToYAML(data, "test-workflow.md") - require.NoError(t, err, "compilation should succeed") - - // Find the activation job section - activationIdx := strings.Index(result, "activation:") - require.Greater(t, activationIdx, -1, "activation job should be present") - - agentIdx := strings.Index(result, "agent:") - require.Greater(t, agentIdx, -1, "agent job should be present") - - activationSection := result[activationIdx:agentIdx] - - assert.NotContains(t, activationSection, "Start DIFC proxy", - "activation job should NOT contain proxy start step without guard policy") - assert.NotContains(t, activationSection, "Stop DIFC proxy", - "activation job should NOT contain proxy stop step without guard policy") - }) - - t.Run("buildActivationJob includes proxy steps when guard policy configured", func(t *testing.T) { - c := NewCompiler() - data := &WorkflowData{ - Name: "test-workflow", - Tools: map[string]any{ - "github": map[string]any{"min-integrity": "approved"}, - }, - AI: "copilot", - SandboxConfig: &SandboxConfig{}, - } - ensureDefaultMCPGatewayConfig(data) - - job, err := c.buildActivationJob(data, false, "", "test-workflow.lock.yml") - require.NoError(t, err, "buildActivationJob should succeed") - require.NotNil(t, job, "job should not be nil") - - allSteps := strings.Join(job.Steps, "\n") - assert.Contains(t, allSteps, "Start DIFC proxy for pre-agent gh calls", - "activation job should include proxy start step when guard policy is configured") - assert.Contains(t, allSteps, "Stop DIFC proxy", - "activation job should include proxy stop step when guard policy is configured") - - startIdx := strings.Index(allSteps, "Start DIFC proxy for pre-agent gh calls") - stopIdx := strings.Index(allSteps, "Stop DIFC proxy") - assert.Less(t, startIdx, stopIdx, "Start proxy must come before Stop proxy in activation job") - - // Stop proxy must come before artifact upload - uploadIdx := strings.Index(allSteps, "Upload activation artifact") - require.Greater(t, uploadIdx, -1, "artifact upload step should be present") - assert.Less(t, stopIdx, uploadIdx, "Stop DIFC proxy must come before artifact upload") - }) - - t.Run("buildActivationJob has no proxy steps without guard policy", func(t *testing.T) { - c := NewCompiler() - data := &WorkflowData{ - Name: "test-workflow", - Tools: map[string]any{ - "github": map[string]any{"toolsets": []string{"default"}}, - }, - AI: "copilot", - SandboxConfig: &SandboxConfig{}, - } - ensureDefaultMCPGatewayConfig(data) - - job, err := c.buildActivationJob(data, false, "", "test-workflow.lock.yml") - require.NoError(t, err, "buildActivationJob should succeed") - require.NotNil(t, job, "job should not be nil") - - allSteps := strings.Join(job.Steps, "\n") - assert.NotContains(t, allSteps, "Start DIFC proxy", - "activation job should NOT include proxy start step without guard policy") - assert.NotContains(t, allSteps, "Stop DIFC proxy", - "activation job should NOT include proxy stop step without guard policy") - }) -} - -// TestDIFCProxyInjectedInPreActivationJob verifies that DIFC proxy steps are injected -// into the pre-activation job (which contains user-defined on.steps and compiler-added -// checks) when guard policies are configured. -func TestDIFCProxyInjectedInPreActivationJob(t *testing.T) { - t.Run("proxy injected in pre-activation job when guard policy configured", func(t *testing.T) { - // Note: ParseWorkflowString does not run processOnSectionAndFilters so OnSteps is - // empty in this path. The pre-activation job is still created because the workflow - // uses on.issues (an unsafe event) triggering the membership check. - // The proxy injection is gated on hasDIFCGuardsConfigured which only requires - // min-integrity to be set in the github tool config. - workflow := `--- -on: - issues: - types: [opened] -engine: copilot -tools: - github: - mode: local - toolsets: [default] - min-integrity: approved -permissions: - issues: read - pull-requests: read - contents: read ---- - -# Test Workflow - -Test that DIFC proxy is injected into the pre-activation job when min-integrity is set. -` - compiler := NewCompiler() - data, err := compiler.ParseWorkflowString(workflow, "test-workflow.md") - require.NoError(t, err, "parsing should succeed") - - result, err := compiler.CompileToYAML(data, "test-workflow.md") - require.NoError(t, err, "compilation should succeed") - - // Extract the pre_activation job section from the full YAML. - // Jobs may appear in any order in the map; find "pre_activation:" and take from there. - preActivationMarker := "\n pre_activation:" - preActivationIdx := strings.Index(result, preActivationMarker) - require.Greater(t, preActivationIdx, -1, "pre_activation job should be present in compiled YAML") - - preActivationSection := result[preActivationIdx:] - - // Proxy start must be present in pre_activation section - assert.Contains(t, preActivationSection, "Start DIFC proxy for pre-agent gh calls", - "pre-activation job should contain proxy start step when guard policy is configured") - - // Proxy stop must be present in pre_activation section - assert.Contains(t, preActivationSection, "Stop DIFC proxy", - "pre-activation job should contain proxy stop step when guard policy is configured") - - // Proxy start must come before proxy stop - startIdx := strings.Index(preActivationSection, "Start DIFC proxy for pre-agent gh calls") - stopIdx := strings.Index(preActivationSection, "Stop DIFC proxy") - assert.Less(t, startIdx, stopIdx, "Start proxy must come before Stop proxy in pre-activation job") - }) - - t.Run("proxy not injected in pre-activation job without guard policy", func(t *testing.T) { - workflow := `--- -on: - issues: - types: [opened] -engine: copilot -tools: - github: - mode: local - toolsets: [default] -permissions: - issues: read - pull-requests: read ---- - -# Test Workflow - -Test that DIFC proxy is NOT injected into the pre-activation job when min-integrity is not set. -` - compiler := NewCompiler() - data, err := compiler.ParseWorkflowString(workflow, "test-workflow.md") - require.NoError(t, err, "parsing should succeed") - - result, err := compiler.CompileToYAML(data, "test-workflow.md") - require.NoError(t, err, "compilation should succeed") - - preActivationMarker := "\n pre_activation:" - preActivationIdx := strings.Index(result, preActivationMarker) - require.Greater(t, preActivationIdx, -1, "pre_activation job should be present in compiled YAML") - - preActivationSection := result[preActivationIdx:] - - assert.NotContains(t, preActivationSection, "Start DIFC proxy", - "pre-activation job should NOT contain proxy start step without guard policy") - assert.NotContains(t, preActivationSection, "Stop DIFC proxy", - "pre-activation job should NOT contain proxy stop step without guard policy") - }) - - t.Run("buildPreActivationJob includes proxy steps when guard policy configured with on.steps", func(t *testing.T) { - c := NewCompiler() - data := &WorkflowData{ - Name: "test-workflow", - Tools: map[string]any{ - "github": map[string]any{"min-integrity": "approved"}, - }, - AI: "copilot", - OnSteps: []map[string]any{ - { - "name": "Custom gate check", - "id": "gate", - "uses": "actions/github-script@v7", - "with": map[string]any{ - "script": "core.setOutput('approved', 'true')", - }, - }, - }, - SandboxConfig: &SandboxConfig{}, - } - ensureDefaultMCPGatewayConfig(data) - - job, err := c.buildPreActivationJob(data, false) - require.NoError(t, err, "buildPreActivationJob should succeed") - require.NotNil(t, job, "job should not be nil") - - allSteps := strings.Join(job.Steps, "\n") - assert.Contains(t, allSteps, "Start DIFC proxy for pre-agent gh calls", - "pre-activation job should include proxy start step when guard policy is configured") - assert.Contains(t, allSteps, "Stop DIFC proxy", - "pre-activation job should include proxy stop step when guard policy is configured") - - startIdx := strings.Index(allSteps, "Start DIFC proxy for pre-agent gh calls") - stopIdx := strings.Index(allSteps, "Stop DIFC proxy") - assert.Less(t, startIdx, stopIdx, "Start proxy must come before Stop proxy in pre-activation job") - - // User-defined on.step must be between start and stop - gateIdx := strings.Index(allSteps, "Custom gate check") - require.Greater(t, gateIdx, -1, "on.steps should appear in pre-activation steps") - assert.Less(t, startIdx, gateIdx, "Proxy start must come before user-defined on.steps") - assert.Less(t, gateIdx, stopIdx, "on.steps must come before proxy stop") - }) - - t.Run("buildPreActivationJob has no proxy steps without guard policy", func(t *testing.T) { - c := NewCompiler() - data := &WorkflowData{ - Name: "test-workflow", - Tools: map[string]any{ - "github": map[string]any{"toolsets": []string{"default"}}, - }, - AI: "copilot", - // OnSteps is required to create a valid pre-activation job without - // permission checks or stop-time. - OnSteps: []map[string]any{ - { - "name": "Custom gate check", - "id": "gate", - "uses": "actions/github-script@v7", - "with": map[string]any{ - "script": "core.setOutput('approved', 'true')", - }, - }, - }, - SandboxConfig: &SandboxConfig{}, - } - ensureDefaultMCPGatewayConfig(data) - - job, err := c.buildPreActivationJob(data, false) - require.NoError(t, err, "buildPreActivationJob should succeed") - require.NotNil(t, job, "job should not be nil") - - allSteps := strings.Join(job.Steps, "\n") - assert.NotContains(t, allSteps, "Start DIFC proxy", - "pre-activation job should NOT include proxy start step without guard policy") - assert.NotContains(t, allSteps, "Stop DIFC proxy", - "pre-activation job should NOT include proxy stop step without guard policy") - }) -} diff --git a/pkg/workflow/compiler_pre_activation_job.go b/pkg/workflow/compiler_pre_activation_job.go index c77ea897b1..24aead98e1 100644 --- a/pkg/workflow/compiler_pre_activation_job.go +++ b/pkg/workflow/compiler_pre_activation_job.go @@ -41,21 +41,6 @@ func (c *Compiler) buildPreActivationJob(data *WorkflowData, needsPermissionChec // Pre-activation job doesn't need project support (no safe outputs processed here) steps = append(steps, c.generateSetupStep(setupActionRef, SetupActionDestination, false)...) - // Start DIFC proxy immediately after setup and before any github-script or gh CLI call. - // on.steps and jobs.pre-activation custom steps may access GH_TOKEN and make API calls; - // the proxy ensures those calls are integrity-filtered when min-integrity is configured. - var difcProxyInjectedInPreActivation bool - if hasDIFCGuardsConfigured(data) { - compilerActivationJobsLog.Print("DIFC guards configured; injecting proxy start into pre-activation job") - startStep := c.buildStartDIFCProxyStepYAML(data) - if startStep != "" { - steps = append(steps, startStep) - difcProxyInjectedInPreActivation = true - } else { - compilerActivationJobsLog.Print("Warning: DIFC guards configured but proxy step generation returned empty; proxy will not be started in pre-activation job") - } - } - // Determine permissions for pre-activation job var perms *Permissions if needsContentsRead { @@ -267,14 +252,6 @@ func (c *Compiler) buildPreActivationJob(data *WorkflowData, needsPermissionChec } } - // Stop DIFC proxy after all user-defined steps (on.steps and custom steps) have run. - // The stop step always runs (if: always()) to clean up the container and CA cert - // even when earlier steps failed. - if difcProxyInjectedInPreActivation { - compilerActivationJobsLog.Print("DIFC proxy was started; injecting proxy stop step into pre-activation job") - steps = append(steps, buildStopDIFCProxyStepYAML()) - } - // Generate the activated output expression using expression builders var activatedNode ConditionNode From bc342ecbf77255001048034943cd88d774a58c73 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Mar 2026 09:59:11 -0700 Subject: [PATCH 6/7] [WIP] Fix failing GitHub Actions workflow test (#23145) * Initial plan * Fix sparse-checkout missing actions/setup in dev mode for activation job Agent-Logs-Url: https://github.com/github/gh-aw/sessions/1b83f1ef-faf6-451f-84b2-ffbd0b92867c Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- .github/workflows/ace-editor.lock.yml | 1 + .../workflows/agent-performance-analyzer.lock.yml | 1 + .github/workflows/agent-persona-explorer.lock.yml | 1 + .github/workflows/agentic-observability-kit.lock.yml | 1 + .github/workflows/ai-moderator.lock.yml | 1 + .github/workflows/archie.lock.yml | 1 + .github/workflows/artifacts-summary.lock.yml | 1 + .github/workflows/audit-workflows.lock.yml | 1 + .github/workflows/auto-triage-issues.lock.yml | 1 + .github/workflows/blog-auditor.lock.yml | 1 + .github/workflows/bot-detection.lock.yml | 1 + .github/workflows/brave.lock.yml | 1 + .github/workflows/breaking-change-checker.lock.yml | 1 + .github/workflows/changeset.lock.yml | 1 + .github/workflows/ci-coach.lock.yml | 1 + .github/workflows/ci-doctor.lock.yml | 1 + .../workflows/claude-code-user-docs-review.lock.yml | 1 + .github/workflows/cli-consistency-checker.lock.yml | 1 + .github/workflows/cli-version-checker.lock.yml | 1 + .github/workflows/cloclo.lock.yml | 1 + .github/workflows/code-scanning-fixer.lock.yml | 1 + .github/workflows/code-simplifier.lock.yml | 1 + .../workflows/codex-github-remote-mcp-test.lock.yml | 1 + .github/workflows/commit-changes-analyzer.lock.yml | 1 + .github/workflows/constraint-solving-potd.lock.yml | 1 + .github/workflows/contribution-check.lock.yml | 1 + .github/workflows/copilot-agent-analysis.lock.yml | 1 + .github/workflows/copilot-cli-deep-research.lock.yml | 1 + .github/workflows/copilot-pr-merged-report.lock.yml | 1 + .github/workflows/copilot-pr-nlp-analysis.lock.yml | 1 + .../workflows/copilot-pr-prompt-analysis.lock.yml | 1 + .github/workflows/copilot-session-insights.lock.yml | 1 + .github/workflows/craft.lock.yml | 1 + .../workflows/daily-architecture-diagram.lock.yml | 1 + .../workflows/daily-assign-issue-to-user.lock.yml | 1 + .github/workflows/daily-choice-test.lock.yml | 1 + .github/workflows/daily-cli-performance.lock.yml | 1 + .github/workflows/daily-cli-tools-tester.lock.yml | 1 + .github/workflows/daily-code-metrics.lock.yml | 1 + .../workflows/daily-community-attribution.lock.yml | 1 + .github/workflows/daily-compiler-quality.lock.yml | 1 + .../workflows/daily-copilot-token-report.lock.yml | 1 + .github/workflows/daily-doc-healer.lock.yml | 1 + .github/workflows/daily-doc-updater.lock.yml | 1 + .github/workflows/daily-file-diet.lock.yml | 1 + .github/workflows/daily-firewall-report.lock.yml | 1 + .github/workflows/daily-function-namer.lock.yml | 1 + .github/workflows/daily-integrity-analysis.lock.yml | 1 + .github/workflows/daily-issues-report.lock.yml | 1 + .github/workflows/daily-malicious-code-scan.lock.yml | 1 + .../daily-mcp-concurrency-analysis.lock.yml | 1 + .../daily-multi-device-docs-tester.lock.yml | 1 + .github/workflows/daily-news.lock.yml | 1 + .../workflows/daily-observability-report.lock.yml | 1 + .github/workflows/daily-performance-summary.lock.yml | 1 + .github/workflows/daily-regulatory.lock.yml | 1 + .../daily-rendering-scripts-verifier.lock.yml | 1 + .github/workflows/daily-repo-chronicle.lock.yml | 1 + .../workflows/daily-safe-output-integrator.lock.yml | 1 + .../workflows/daily-safe-output-optimizer.lock.yml | 1 + .../daily-safe-outputs-conformance.lock.yml | 1 + .github/workflows/daily-secrets-analysis.lock.yml | 1 + .github/workflows/daily-security-red-team.lock.yml | 1 + .github/workflows/daily-semgrep-scan.lock.yml | 1 + .../workflows/daily-syntax-error-quality.lock.yml | 1 + .../workflows/daily-team-evolution-insights.lock.yml | 1 + .github/workflows/daily-team-status.lock.yml | 1 + .../daily-testify-uber-super-expert.lock.yml | 1 + .github/workflows/daily-workflow-updater.lock.yml | 1 + .github/workflows/dead-code-remover.lock.yml | 1 + .github/workflows/deep-report.lock.yml | 1 + .github/workflows/delight.lock.yml | 1 + .github/workflows/dependabot-burner.lock.yml | 1 + .github/workflows/dependabot-go-checker.lock.yml | 1 + .github/workflows/dev-hawk.lock.yml | 1 + .github/workflows/dev.lock.yml | 1 + .../workflows/developer-docs-consolidator.lock.yml | 1 + .github/workflows/dictation-prompt.lock.yml | 1 + .github/workflows/discussion-task-miner.lock.yml | 1 + .github/workflows/docs-noob-tester.lock.yml | 1 + .github/workflows/draft-pr-cleanup.lock.yml | 1 + .github/workflows/duplicate-code-detector.lock.yml | 1 + .../workflows/example-permissions-warning.lock.yml | 1 + .github/workflows/example-workflow-analyzer.lock.yml | 1 + .github/workflows/firewall-escape.lock.yml | 1 + .github/workflows/firewall.lock.yml | 1 + .github/workflows/functional-pragmatist.lock.yml | 1 + .../github-mcp-structural-analysis.lock.yml | 1 + .github/workflows/github-mcp-tools-report.lock.yml | 1 + .../workflows/github-remote-mcp-auth-test.lock.yml | 1 + .github/workflows/glossary-maintainer.lock.yml | 1 + .github/workflows/go-fan.lock.yml | 1 + .github/workflows/go-logger.lock.yml | 1 + .github/workflows/go-pattern-detector.lock.yml | 1 + .github/workflows/gpclean.lock.yml | 1 + .github/workflows/grumpy-reviewer.lock.yml | 1 + .github/workflows/hourly-ci-cleaner.lock.yml | 1 + .github/workflows/instructions-janitor.lock.yml | 1 + .github/workflows/issue-arborist.lock.yml | 1 + .github/workflows/issue-monster.lock.yml | 1 + .github/workflows/issue-triage-agent.lock.yml | 1 + .github/workflows/jsweep.lock.yml | 1 + .github/workflows/layout-spec-maintainer.lock.yml | 1 + .github/workflows/lockfile-stats.lock.yml | 1 + .github/workflows/mcp-inspector.lock.yml | 1 + .github/workflows/mergefest.lock.yml | 1 + .github/workflows/metrics-collector.lock.yml | 1 + .github/workflows/notion-issue-summary.lock.yml | 1 + .github/workflows/org-health-report.lock.yml | 1 + .github/workflows/pdf-summary.lock.yml | 1 + .github/workflows/plan.lock.yml | 1 + .github/workflows/poem-bot.lock.yml | 1 + .github/workflows/portfolio-analyst.lock.yml | 1 + .github/workflows/pr-nitpick-reviewer.lock.yml | 1 + .github/workflows/pr-triage-agent.lock.yml | 1 + .../workflows/prompt-clustering-analysis.lock.yml | 1 + .github/workflows/python-data-charts.lock.yml | 1 + .github/workflows/q.lock.yml | 1 + .github/workflows/refiner.lock.yml | 1 + .github/workflows/release.lock.yml | 1 + .github/workflows/repo-audit-analyzer.lock.yml | 1 + .github/workflows/repo-tree-map.lock.yml | 1 + .../workflows/repository-quality-improver.lock.yml | 1 + .github/workflows/research.lock.yml | 1 + .github/workflows/safe-output-health.lock.yml | 1 + .../workflows/schema-consistency-checker.lock.yml | 1 + .github/workflows/schema-feature-coverage.lock.yml | 1 + .github/workflows/scout.lock.yml | 1 + .github/workflows/security-compliance.lock.yml | 1 + .github/workflows/security-review.lock.yml | 1 + .../workflows/semantic-function-refactor.lock.yml | 1 + .github/workflows/sergo.lock.yml | 1 + .github/workflows/slide-deck-maintainer.lock.yml | 1 + .github/workflows/smoke-agent-all-merged.lock.yml | 1 + .github/workflows/smoke-agent-all-none.lock.yml | 1 + .../workflows/smoke-agent-public-approved.lock.yml | 1 + .github/workflows/smoke-agent-public-none.lock.yml | 1 + .../workflows/smoke-agent-scoped-approved.lock.yml | 1 + .github/workflows/smoke-call-workflow.lock.yml | 1 + .github/workflows/smoke-claude.lock.yml | 1 + .github/workflows/smoke-codex.lock.yml | 1 + .github/workflows/smoke-copilot-arm.lock.yml | 1 + .github/workflows/smoke-copilot.lock.yml | 1 + .../workflows/smoke-create-cross-repo-pr.lock.yml | 1 + .github/workflows/smoke-gemini.lock.yml | 1 + .github/workflows/smoke-multi-pr.lock.yml | 1 + .github/workflows/smoke-project.lock.yml | 1 + .github/workflows/smoke-temporary-id.lock.yml | 1 + .github/workflows/smoke-test-tools.lock.yml | 1 + .../workflows/smoke-update-cross-repo-pr.lock.yml | 1 + .../smoke-workflow-call-with-inputs.lock.yml | 1 + .github/workflows/smoke-workflow-call.lock.yml | 1 + .github/workflows/stale-repo-identifier.lock.yml | 1 + .github/workflows/static-analysis-report.lock.yml | 1 + .github/workflows/step-name-alignment.lock.yml | 1 + .github/workflows/sub-issue-closer.lock.yml | 1 + .github/workflows/super-linter.lock.yml | 1 + .github/workflows/technical-doc-writer.lock.yml | 1 + .github/workflows/terminal-stylist.lock.yml | 1 + .../workflows/test-create-pr-error-handling.lock.yml | 1 + .github/workflows/test-dispatcher.lock.yml | 1 + .github/workflows/test-project-url-default.lock.yml | 1 + .github/workflows/test-workflow.lock.yml | 1 + .github/workflows/tidy.lock.yml | 1 + .github/workflows/typist.lock.yml | 1 + .github/workflows/ubuntu-image-analyzer.lock.yml | 1 + .github/workflows/unbloat-docs.lock.yml | 1 + .github/workflows/update-astro.lock.yml | 1 + .github/workflows/video-analyzer.lock.yml | 1 + .github/workflows/weekly-blog-post-writer.lock.yml | 1 + .../workflows/weekly-editors-health-check.lock.yml | 1 + .github/workflows/weekly-issue-summary.lock.yml | 1 + .../weekly-safe-outputs-spec-review.lock.yml | 1 + .github/workflows/workflow-generator.lock.yml | 1 + .github/workflows/workflow-health-manager.lock.yml | 1 + .github/workflows/workflow-normalizer.lock.yml | 1 + .github/workflows/workflow-skill-extractor.lock.yml | 1 + pkg/workflow/compiler_activation_job.go | 12 +++++++++++- 178 files changed, 188 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index fbbb9a0192..ced9515527 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -121,6 +121,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 5c9bd959a1..fc051ee676 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -104,6 +104,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 4ed8b0aedb..7c8e6f3b7b 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -110,6 +110,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/agentic-observability-kit.lock.yml b/.github/workflows/agentic-observability-kit.lock.yml index 2b16fec8e5..cdef8b196e 100644 --- a/.github/workflows/agentic-observability-kit.lock.yml +++ b/.github/workflows/agentic-observability-kit.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 0f5df6bf78..887d85ad42 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -127,6 +127,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index f713cd053d..06a3992d12 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -129,6 +129,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 388e979c25..3411cb076e 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -103,6 +103,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index e4d8a14322..6f36b43e0d 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -110,6 +110,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index bce81f1a89..8830b3dfe8 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -111,6 +111,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index fc7187fcac..feaec35f04 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index a55a414a0e..71e5b66345 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -105,6 +105,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index d415497d04..b22cf0c93b 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -119,6 +119,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 352cbb61aa..f4ea1f6056 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -105,6 +105,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index e67e0c15ff..d9d893ffd5 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -139,6 +139,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index cd43eca953..f37df7de9b 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -104,6 +104,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 470cd0ad40..62657155ad 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -132,6 +132,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index ec06d1b0b9..c85528d575 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 8377b375b7..d051148e30 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -97,6 +97,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 365231fe31..22641b413f 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index e8750d89b9..807134861b 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -152,6 +152,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index b5cfa7a7eb..3b9c12de1f 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -102,6 +102,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 620c77b2ab..87cf22172a 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -112,6 +112,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 1cc528695c..93b41f06b6 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -102,6 +102,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 100332d432..218a0d4fcf 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 15950307ec..c0f6c0e042 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -103,6 +103,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index a389783fb1..5754752b4d 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -106,6 +106,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 97e965fa4e..80478c0207 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -111,6 +111,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 60fea7cdb8..11fa598526 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -102,6 +102,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 7810c36c46..d633f4701f 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -105,6 +105,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 2970298a5b..1885feca69 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -106,6 +106,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 4b46543eae..034a895031 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -105,6 +105,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 062aa7049d..3acf99898e 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -113,6 +113,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index d08efad3a4..72e98a8215 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -116,6 +116,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 40be6fbfdf..5667aba4df 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -102,6 +102,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 22ec4717cc..cbbec83b0a 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -97,6 +97,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index ea6017918f..c845f76cef 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -103,6 +103,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 9191bc37fa..390e17f053 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -130,6 +130,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 6ab120f1f6..80b0878a91 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index c183f80680..12836cc0f9 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -110,6 +110,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index 25842e810d..f7d1d84957 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 25f44fddc6..d62086e5fb 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -103,6 +103,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index c87ac62492..5c171e42eb 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -103,6 +103,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index d53f697196..41a84e9317 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 72b071bb08..79dcc307cb 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 6ec16d125e..6b6e5a00f1 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -107,6 +107,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 58ec7b5cc1..2928d104a4 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index 863574c24e..f49b9bf1f2 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-integrity-analysis.lock.yml b/.github/workflows/daily-integrity-analysis.lock.yml index 453572d72b..69516fe42e 100644 --- a/.github/workflows/daily-integrity-analysis.lock.yml +++ b/.github/workflows/daily-integrity-analysis.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index ba8b07c81d..b1751c3d96 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -116,6 +116,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 79c9565d83..250a29dd96 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -102,6 +102,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 4338c6d124..de2dec5df5 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -102,6 +102,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 80be32adeb..1171855953 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -113,6 +113,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 08691cf60c..b886c2a6ce 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -105,6 +105,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 75e034ef15..78f4429d92 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -111,6 +111,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 87274a9c9b..a31bd8fa14 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -110,6 +110,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 58194d30e2..c3a11b8e38 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 2ed397cdc4..307ac067b0 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -112,6 +112,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 1bf80cb883..56f85e386d 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -103,6 +103,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-safe-output-integrator.lock.yml b/.github/workflows/daily-safe-output-integrator.lock.yml index 8163e93fae..7a774013ca 100644 --- a/.github/workflows/daily-safe-output-integrator.lock.yml +++ b/.github/workflows/daily-safe-output-integrator.lock.yml @@ -102,6 +102,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 9600587c91..242722ecc0 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -114,6 +114,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 8c11bc3964..07f4d90370 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 59834a4424..bca1ae90b9 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -102,6 +102,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 6ddea2194a..b66c6a5a74 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 2bbef58873..27bb487a43 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index a74c45651c..2a7f619a09 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -102,6 +102,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 4d417059a6..b9a641e2b1 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index bad2d9c4c7..2f8854f0ec 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -117,6 +117,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index f34dccb926..98f39106b6 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 8bcf733954..583c0ffb29 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -98,6 +98,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index d1f33b6be9..abeb4ad064 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -105,6 +105,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 33e8a8c5b4..832fa5156c 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -111,6 +111,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index bb9b51609a..31a9af4442 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -103,6 +103,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index ad12a084ea..894e3ad78c 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index b26474ba32..8af396237c 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -107,6 +107,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 58f840c74c..8c614cc5e8 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -102,6 +102,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 139282a69c..63956bb365 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -134,6 +134,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index b0beccaeba..095f575269 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -110,6 +110,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 776bba3b73..df41bef7e4 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -102,6 +102,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 695d62dd5d..a7a6785eaf 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -103,6 +103,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 1732cad78a..1210fe9503 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -103,6 +103,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 3ffc6f0e50..6581a1ef4c 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -98,6 +98,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index f921182b97..290247d3b9 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -110,6 +110,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index 8b85392b31..6061b37f2c 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -101,6 +101,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 35707e86c2..3546f8bd74 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 2aa916104e..3800db11f2 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -111,6 +111,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index d57f9fb9f7..19fd008532 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -101,6 +101,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index b509b35162..ac1e727d3a 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -107,6 +107,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index bcec193ba2..b695ca9a2e 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 0a8712e635..d594c3a792 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index e3d60d17aa..1a7af91d71 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -104,6 +104,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 592a259736..c8cf37a1b1 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -110,6 +110,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index b927a9d5dd..fb2e97578d 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 5855a009ef..a8c6eb4b1a 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 6107dc6961..32e3cf4633 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 69a4281c0a..4378639e2e 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 015e9ce518..8cc6d14221 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -133,6 +133,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index bbec13c221..8f0fd201e3 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 706dc8559f..bc618b6db4 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -104,6 +104,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index fd4f708b64..e49260642c 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -110,6 +110,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 5c971120d7..8263f82683 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -472,6 +472,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 70b8147608..642b21c5c1 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -106,6 +106,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 104949773f..870c09c2c8 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -104,6 +104,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index d285e14166..cef2171f2c 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -105,6 +105,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 4fa505fd43..7ed8ef4a06 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index b816aab6a3..3177e2ddf9 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -123,6 +123,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 6282144931..e0cbdd52eb 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -121,6 +121,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 24a5a468d5..df3b7fcf90 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -106,6 +106,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index e79a788b7e..f407caca16 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index ecce83101b..9dd90bb1fd 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -110,6 +110,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index daf6d5737e..51008e365c 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -146,6 +146,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index b316d65081..deeb5478a0 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -125,6 +125,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index f619477e8e..5c02a03d31 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -140,6 +140,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index fdb1c64ec4..0431474d13 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -110,6 +110,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 7fcd97706a..d3cf86a6f2 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -130,6 +130,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 7098d18a92..4da0b6ef48 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -103,6 +103,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 4fc1a74209..659f32d9b3 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -114,6 +114,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 7d0169719b..e1d0fa5d38 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -107,6 +107,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 5c54e46118..0c72603544 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -151,6 +151,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 8d3034ed7f..1a3ad489be 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -119,6 +119,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index dcae90c027..3eb40b03b6 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -119,6 +119,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 89de36931f..f563fa8237 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -110,6 +110,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 6b0251ed76..cd5df06f7d 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 6c5c1473a4..e2f2b6b812 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index e02601d3d9..bca61dbe5f 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -110,6 +110,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 8c18aaaa56..46abf32363 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -110,6 +110,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 4b0908fc49..6fa999138f 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/schema-feature-coverage.lock.yml b/.github/workflows/schema-feature-coverage.lock.yml index e83df730a8..9ce4d93cd8 100644 --- a/.github/workflows/schema-feature-coverage.lock.yml +++ b/.github/workflows/schema-feature-coverage.lock.yml @@ -105,6 +105,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 68eff88792..1b3ba6ed28 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -175,6 +175,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index eb5eead270..ed4f6c066a 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -112,6 +112,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 43cdcf299e..2ceaa94572 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -129,6 +129,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 4314ad1b1f..4a62e48dda 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 1b6e64324c..6a895c44f7 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 5088742e10..37d4d029c5 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -114,6 +114,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index 53a06202da..3cd6156583 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -119,6 +119,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index ca41d24b3c..3e6a130fbb 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -119,6 +119,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 6ec20cac95..c1b24aec5f 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -119,6 +119,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 9de93114cc..55b5f921f9 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -119,6 +119,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 0cd569ea47..5d1f442954 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -119,6 +119,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index 1b94b767fb..2d470abeaf 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -115,6 +115,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 07a43e3eb4..307a6ea876 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -146,6 +146,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index aaa6aa6d7a..d688b736b0 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -139,6 +139,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 08ae2207aa..f62a24304f 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -137,6 +137,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 0784a02af5..8e559c5137 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -139,6 +139,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 74c0f2b493..02bf349ce6 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -114,6 +114,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index b71a88aba8..551c474aa9 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -138,6 +138,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index c4ded9a87f..1262351235 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -133,6 +133,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 64a0462a81..ad7f321b95 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -131,6 +131,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 2e207a733c..da899631be 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -131,6 +131,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index c78caf32b8..d7fad7de48 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -120,6 +120,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 97d405f877..6627bb0308 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -114,6 +114,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index b3451baf61..9984aa01b4 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -149,6 +149,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index a364533caf..70096b8e2a 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -152,6 +152,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index bf726cd525..a41ee96ab8 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -118,6 +118,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index e01d4fee06..6391eae53c 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 2797255089..60abd02e29 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -104,6 +104,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 2662df8a07..0ba4581139 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -104,6 +104,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 2c8e832d50..80bd7472ea 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -107,6 +107,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 8f874870bd..8a14418428 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -111,6 +111,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 1f3b830400..4174f86de2 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 655a6c7b93..ead91bd9d6 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -101,6 +101,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index f1379a9f2e..d294fa01cc 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -100,6 +100,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 3da1691b2d..b766ba8a9d 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -100,6 +100,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index 19dcf9a1ae..19bfeedc1a 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -104,6 +104,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 7398053c00..a57c894a14 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -139,6 +139,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 3e713b2b01..4766509120 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 7115e8586d..1222ef4202 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -111,6 +111,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index a66dc21604..a9ac2e9ac7 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -136,6 +136,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/update-astro.lock.yml b/.github/workflows/update-astro.lock.yml index 725c10d4df..9b659ffa69 100644 --- a/.github/workflows/update-astro.lock.yml +++ b/.github/workflows/update-astro.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index ba4c0d9604..b58a0b62ea 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 7cedc9a4cd..94912bba62 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index ce1567466f..57bff2a964 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -104,6 +104,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index f04c2c01fa..b57df21bcf 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -109,6 +109,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index d2e2912842..47cb86ff93 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -104,6 +104,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index bf3b0fe75d..6cff3a75ab 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -120,6 +120,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index f501584b6d..38393d9e86 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -110,6 +110,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 84fd17c5ab..8b6beed75f 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 82a79a82e0..8234656f87 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -108,6 +108,7 @@ jobs: sparse-checkout: | .github .agents + actions/setup sparse-checkout-cone-mode: true fetch-depth: 1 - name: Check workflow file timestamps diff --git a/pkg/workflow/compiler_activation_job.go b/pkg/workflow/compiler_activation_job.go index fb7808c531..725a932510 100644 --- a/pkg/workflow/compiler_activation_job.go +++ b/pkg/workflow/compiler_activation_job.go @@ -613,6 +613,15 @@ func (c *Compiler) generateCheckoutGitHubFolderForActivation(data *WorkflowData) // // Skip when inlined-imports is enabled: content is embedded at compile time and no // runtime-import macros are used, so the callee's .md files are not needed at runtime. + // In dev mode, actions/setup is referenced via a local workspace path (./actions/setup), + // so it must be included in the sparse-checkout to preserve it for the post step. + // In release/script/action modes, the action is in the runner cache and not the workspace. + var extraPaths []string + if c.actionMode.IsDev() { + compilerActivationJobLog.Print("Dev mode: adding actions/setup to sparse-checkout to preserve local action post step") + extraPaths = append(extraPaths, "actions/setup") + } + cm := NewCheckoutManager(nil) if data != nil && hasWorkflowCallTrigger(data.On) && !data.InlinedImports { compilerActivationJobLog.Print("Adding cross-repo-aware .github checkout for workflow_call trigger") @@ -622,6 +631,7 @@ func (c *Compiler) generateCheckoutGitHubFolderForActivation(data *WorkflowData) cm.GetCrossRepoTargetRepo(), cm.GetCrossRepoTargetRef(), GetActionPin, + extraPaths..., ) } @@ -629,5 +639,5 @@ func (c *Compiler) generateCheckoutGitHubFolderForActivation(data *WorkflowData) // This is needed for runtime imports during prompt generation // sparse-checkout-cone-mode: true ensures subdirectories under .github/ are recursively included compilerActivationJobLog.Print("Adding .github and .agents sparse checkout in activation job") - return cm.GenerateGitHubFolderCheckoutStep("", "", GetActionPin) + return cm.GenerateGitHubFolderCheckoutStep("", "", GetActionPin, extraPaths...) } From 3e00dbc8b911ee288b514de9879fc295febb3467 Mon Sep 17 00:00:00 2001 From: Landon Cox Date: Sat, 28 Mar 2026 10:35:11 -0700 Subject: [PATCH 7/7] fix: restore proxy-tls exclusion from DIFC proxy artifact upload The proxy-logs/ directory includes proxy-tls/ which contains TLS private key material generated by the DIFC proxy. Uploading this directory risks leaking TLS key material into build artifacts and may cause upload failures if files are root-owned/unreadable. and update the test to verify both the include and exclusion paths. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/contribution-check.lock.yml | 1 + .github/workflows/daily-issues-report.lock.yml | 1 + .github/workflows/discussion-task-miner.lock.yml | 1 + .github/workflows/grumpy-reviewer.lock.yml | 1 + .github/workflows/issue-arborist.lock.yml | 1 + .github/workflows/issue-monster.lock.yml | 1 + .github/workflows/issue-triage-agent.lock.yml | 1 + .github/workflows/org-health-report.lock.yml | 1 + .github/workflows/plan.lock.yml | 1 + .github/workflows/pr-triage-agent.lock.yml | 1 + .github/workflows/q.lock.yml | 1 + .github/workflows/refiner.lock.yml | 1 + .github/workflows/scout.lock.yml | 1 + .github/workflows/smoke-agent-all-merged.lock.yml | 1 + .github/workflows/smoke-agent-all-none.lock.yml | 1 + .github/workflows/smoke-agent-public-approved.lock.yml | 1 + .github/workflows/smoke-agent-public-none.lock.yml | 1 + .github/workflows/smoke-agent-scoped-approved.lock.yml | 1 + .github/workflows/stale-repo-identifier.lock.yml | 1 + .github/workflows/weekly-blog-post-writer.lock.yml | 1 + .github/workflows/weekly-issue-summary.lock.yml | 1 + .../workflows/weekly-safe-outputs-spec-review.lock.yml | 1 + .github/workflows/workflow-generator.lock.yml | 1 + pkg/workflow/compiler_difc_proxy.go | 10 +++++++--- pkg/workflow/compiler_difc_proxy_test.go | 6 ++++-- 25 files changed, 34 insertions(+), 5 deletions(-) diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 5754752b4d..2370996473 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -779,6 +779,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index b1751c3d96..7497738c6d 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -882,6 +882,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index a7a6785eaf..ba4a58957c 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -816,6 +816,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 8cc6d14221..6434733642 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -848,6 +848,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index e49260642c..a3e179edd8 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -809,6 +809,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 8263f82683..f5f5e5c10d 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -1128,6 +1128,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 642b21c5c1..a2cc6806fd 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -728,6 +728,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 9dd90bb1fd..4d5968580c 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -818,6 +818,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index deeb5478a0..5a883a8377 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -820,6 +820,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 4da0b6ef48..3b86b56a6e 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -806,6 +806,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 0c72603544..8044e92623 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -987,6 +987,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 1a3ad489be..9b5ce6a3cf 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -789,6 +789,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 1b3ba6ed28..d42e9b94e9 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1054,6 +1054,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index 3cd6156583..8c1f7c0238 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -757,6 +757,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 3e6a130fbb..16457f9195 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -757,6 +757,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index c1b24aec5f..d72275c45a 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -783,6 +783,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 55b5f921f9..ed43cae707 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -757,6 +757,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 5d1f442954..c7e8c29f26 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -761,6 +761,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index a41ee96ab8..b628faa40b 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -884,6 +884,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 94912bba62..cccd9ebcd7 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -919,6 +919,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index b57df21bcf..6865ab9dbf 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -798,6 +798,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 47cb86ff93..e96981f2d2 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -738,6 +738,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 6cff3a75ab..a3e37ef577 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -815,6 +815,7 @@ jobs: /tmp/gh-aw/redacted-urls.log /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/proxy-logs/ + !/tmp/gh-aw/proxy-logs/proxy-tls/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl diff --git a/pkg/workflow/compiler_difc_proxy.go b/pkg/workflow/compiler_difc_proxy.go index c7a2846b23..7bc20d61e1 100644 --- a/pkg/workflow/compiler_difc_proxy.go +++ b/pkg/workflow/compiler_difc_proxy.go @@ -274,7 +274,11 @@ func difcProxyLogPaths(data *WorkflowData) []string { if !hasDIFCGuardsConfigured(data) { return nil } - // proxy-logs/ contains TLS certs and container stderr from the proxy - // (mcp-logs/ is already collected as part of standard MCP logging) - return []string{"/tmp/gh-aw/proxy-logs/"} + // proxy-logs/ contains TLS certs and container stderr from the proxy. + // Exclude proxy-tls/ to avoid uploading TLS material (mcp-logs/ is already + // collected as part of standard MCP logging). + return []string{ + "/tmp/gh-aw/proxy-logs/", + "!/tmp/gh-aw/proxy-logs/proxy-tls/", + } } diff --git a/pkg/workflow/compiler_difc_proxy_test.go b/pkg/workflow/compiler_difc_proxy_test.go index 98823ec0cc..ee42df3366 100644 --- a/pkg/workflow/compiler_difc_proxy_test.go +++ b/pkg/workflow/compiler_difc_proxy_test.go @@ -362,8 +362,10 @@ func TestDIFCProxyLogPaths(t *testing.T) { CustomSteps: "steps:\n - name: Fetch\n env:\n GH_TOKEN: ${{ github.token }}\n run: gh issue list", } paths := difcProxyLogPaths(data) - require.Len(t, paths, 1, "should return exactly one path") - assert.Contains(t, paths[0], "proxy-logs", "path should include proxy-logs directory") + require.Len(t, paths, 2, "should return include path and exclusion path") + assert.Contains(t, paths[0], "proxy-logs", "first path should include proxy-logs directory") + assert.Contains(t, paths[1], "proxy-tls", "second path should exclude proxy-tls directory") + assert.True(t, strings.HasPrefix(paths[1], "!"), "exclusion path should start with !") }) }