From b4ee1a4b2e40554701dc76607a9b782d11f9df38 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 00:14:28 +0000 Subject: [PATCH 01/11] Initial plan From a07a9f4760dc791a2cd6d494fce256bf616b65eb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 00:43:00 +0000 Subject: [PATCH 02/11] feat(safe-outputs): add patch-format: bundle support for code-push flows - Create generate_git_bundle.cjs with git bundle generation logic (full and incremental modes, same strategy structure as generate_git_patch.cjs) - Modify safe_outputs_handlers.cjs to check patch_format config and dispatch to bundle or patch generation (bundle path sets bundle_path, patch path sets patch_path on the JSONL entry) - Modify create_pull_request.cjs to handle bundle_path: fetch from bundle into a local branch and push via pushSignedCommits (skips git am) - Modify push_to_pull_request_branch.cjs to handle bundle_path: fetch from bundle into temp ref and ff-merge before pushing via pushSignedCommits - Add PatchFormat field to CreatePullRequestsConfig and PushToPullRequestBranchConfig in Go structs - Add patch_format to serialized handler config in compiler_safe_outputs_config.go - Parse and validate patch-format field in Go parsers (valid: am, bundle) Agent-Logs-Url: https://github.com/github/gh-aw/sessions/220273af-754a-4610-9d4d-f8d2ad9a7c48 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/js/create_pull_request.cjs | 583 +++++++++++------- actions/setup/js/generate_git_bundle.cjs | 400 ++++++++++++ .../setup/js/push_to_pull_request_branch.cjs | 204 +++--- actions/setup/js/safe_outputs_handlers.cjs | 139 ++++- pkg/workflow/compiler_safe_outputs_config.go | 2 + pkg/workflow/create_pull_request.go | 7 + pkg/workflow/push_to_pull_request_branch.go | 10 + 7 files changed, 1032 insertions(+), 313 deletions(-) create mode 100644 actions/setup/js/generate_git_bundle.cjs diff --git a/actions/setup/js/create_pull_request.cjs b/actions/setup/js/create_pull_request.cjs index dc6a64abca3..47759f4f804 100644 --- a/actions/setup/js/create_pull_request.cjs +++ b/actions/setup/js/create_pull_request.cjs @@ -254,6 +254,11 @@ async function main(config = {}) { const patchFilePath = pullRequestItem.patch_path; core.info(`Patch file path: ${patchFilePath || "(not set)"}`); + // Determine the bundle file path from the message (set when patch-format: bundle is configured) + const bundleFilePath = pullRequestItem.bundle_path; + if (bundleFilePath) { + core.info(`Bundle file path: ${bundleFilePath}`); + } // Resolve and validate target repository const repoResult = resolveAndValidateRepo(pullRequestItem, defaultTargetRepo, allowedRepos, "pull request"); if (!repoResult.success) { @@ -307,7 +312,9 @@ async function main(config = {}) { core.info(`Base branch for ${itemRepo}: ${baseBranch}`); // Check if patch file exists and has valid content - if (!patchFilePath || !fs.existsSync(patchFilePath)) { + // Skip this check when a bundle file is present (bundle transport does not use a patch file) + const hasBundleFile = !!(bundleFilePath && fs.existsSync(bundleFilePath)); + if (!hasBundleFile && (!patchFilePath || !fs.existsSync(patchFilePath))) { // If allow-empty is enabled, we can proceed without a patch file if (allowEmpty) { core.info("No patch file found, but allow-empty is enabled - will create empty PR"); @@ -344,9 +351,9 @@ async function main(config = {}) { } let patchContent = ""; - let isEmpty = true; + let isEmpty = hasBundleFile ? false : true; - if (patchFilePath && fs.existsSync(patchFilePath)) { + if (!hasBundleFile && patchFilePath && fs.existsSync(patchFilePath)) { patchContent = fs.readFileSync(patchFilePath, "utf8"); isEmpty = !patchContent || !patchContent.trim(); } @@ -536,6 +543,9 @@ async function main(config = {}) { let bodyLines = processedBody.split("\n"); let branchName = pullRequestItem.branch ? pullRequestItem.branch.trim() : null; + // Preserve the original agent branch name for bundle transport (the bundle was created + // using this branch name as the refs/heads ref inside the bundle file). + const originalAgentBranch = branchName; const randomHex = crypto.randomBytes(8).toString("hex"); // SECURITY: Sanitize branch name to prevent shell injection (CWE-78) @@ -671,117 +681,30 @@ async function main(config = {}) { // This works even when we're already on the base branch await exec.exec(`git fetch origin ${baseBranch}`); - // Checkout the base branch (using origin/${baseBranch} if local doesn't exist) - try { - await exec.exec(`git checkout ${baseBranch}`); - } catch (checkoutError) { - // If local branch doesn't exist, create it from origin - core.info(`Local branch ${baseBranch} doesn't exist, creating from origin/${baseBranch}`); - await exec.exec(`git checkout -b ${baseBranch} origin/${baseBranch}`); - } - - // Handle branch creation/checkout - core.info(`Branch should not exist locally, creating new branch from base: ${branchName}`); - await exec.exec(`git checkout -b ${branchName}`); - core.info(`Created new branch from base: ${branchName}`); - - // Apply the patch using git CLI (skip if empty) + // Apply the patch/bundle using git CLI (skip if empty) // Track number of new commits pushed so we can restrict the extra empty commit // to branches with exactly one new commit (security: prevents use of CI trigger // token on multi-commit branches where workflow files may have been modified). let newCommitCount = 0; - if (!isEmpty) { - core.info("Applying patch..."); - - // Log first 500 lines of patch for debugging - const patchLines = patchContent.split("\n"); - const previewLineCount = Math.min(500, patchLines.length); - core.info(`Patch preview (first ${previewLineCount} of ${patchLines.length} lines):`); - for (let i = 0; i < previewLineCount; i++) { - core.info(patchLines[i]); - } - - // Patches are created with git format-patch, so use git am to apply them - // Use --3way to handle cross-repo patches where the patch base may differ from target repo - // This allows git to resolve create-vs-modify mismatches when a file exists in target but not source - let patchApplied = false; + if (hasBundleFile) { + // Bundle transport: fetch commits directly from the bundle file. + // This preserves merge commit topology and per-commit metadata (messages, authorship) + // unlike git format-patch which flattens history and drops merge resolution content. + core.info(`Applying changes from bundle: ${bundleFilePath}`); + const bundleBranchRef = originalAgentBranch || branchName; try { - await exec.exec("git", ["am", "--3way", patchFilePath]); - core.info("Patch applied successfully"); - patchApplied = true; - } catch (patchError) { - core.error(`Failed to apply patch with --3way: ${patchError instanceof Error ? patchError.message : String(patchError)}`); - - // Investigate why the patch failed by logging git status and the failed patch - try { - core.info("Investigating patch failure..."); - - // Log git status to see the current state - const statusResult = await exec.getExecOutput("git", ["status"]); - core.info("Git status output:"); - core.info(statusResult.stdout); - - // Log the failed patch diff - const patchResult = await exec.getExecOutput("git", ["am", "--show-current-patch=diff"]); - core.info("Failed patch content:"); - core.info(patchResult.stdout); - } catch (investigateError) { - core.warning(`Failed to investigate patch failure: ${investigateError instanceof Error ? investigateError.message : String(investigateError)}`); - } - - // Abort the failed git am before attempting any fallback - try { - await exec.exec("git am --abort"); - core.info("Aborted failed git am"); - } catch (abortError) { - core.warning(`Failed to abort git am: ${abortError instanceof Error ? abortError.message : String(abortError)}`); - } - - // Fallback (Option 1): create the PR branch at the original base commit so the PR - // can still be created. GitHub will show the merge conflicts, allowing manual resolution. - // This handles the case where the target branch received intervening commits after - // the patch was generated, making --3way unable to resolve the conflicts automatically. - core.info("Attempting fallback: create PR branch at original base commit..."); - try { - // Use the base commit recorded at patch generation time. - // The From header in format-patch output contains the agent's new commit SHA - // which does not exist in this checkout, so we cannot derive the base from it. - const originalBaseCommit = pullRequestItem.base_commit; - if (!originalBaseCommit) { - core.warning("No base_commit recorded in safe output entry - fallback not possible"); - } else { - core.info(`Original base commit from patch generation: ${originalBaseCommit}`); - - // Verify the base commit is available in this repo (may not exist cross-repo) - await exec.exec("git", ["cat-file", "-e", originalBaseCommit]); - core.info("Original base commit exists locally - proceeding with fallback"); - - // Re-create the PR branch at the original base commit - await exec.exec(`git checkout ${baseBranch}`); - try { - await exec.exec(`git branch -D ${branchName}`); - } catch { - // Branch may not exist yet, ignore - } - await exec.exec(`git checkout -b ${branchName} ${originalBaseCommit}`); - core.info(`Created branch ${branchName} at original base commit ${originalBaseCommit}`); - - // Apply the patch without --3way; we are on the correct base so it should apply cleanly - await exec.exec(`git am ${patchFilePath}`); - core.info("Patch applied successfully at original base commit"); - core.warning(`PR branch ${branchName} is based on an earlier commit than the current ${baseBranch} HEAD. The pull request will show merge conflicts that require manual resolution.`); - patchApplied = true; - } - } catch (fallbackError) { - core.warning(`Fallback to original base commit failed: ${fallbackError instanceof Error ? fallbackError.message : String(fallbackError)}`); - } - - if (!patchApplied) { - return { success: false, error: "Failed to apply patch" }; - } + // Fetch from bundle: creates a local branch pointing to the bundle's tip commit. + // The bundle contains refs/heads/ which was the agent's working branch. + await exec.exec("git", ["fetch", bundleFilePath, `refs/heads/${bundleBranchRef}:refs/heads/${branchName}`]); + core.info(`Created local branch ${branchName} from bundle`); + await exec.exec("git", ["checkout", branchName]); + core.info(`Checked out branch ${branchName} from bundle`); + } catch (bundleError) { + core.error(`Failed to apply bundle: ${bundleError instanceof Error ? bundleError.message : String(bundleError)}`); + return { success: false, error: "Failed to apply bundle" }; } - // Push the applied commits to the branch (with fallback to issue creation on failure) + // Push the commits from the bundle to the remote branch try { // Check if remote branch already exists (optional precheck) let remoteBranchExists = false; @@ -812,62 +735,40 @@ async function main(config = {}) { baseRef: `origin/${baseBranch}`, cwd: process.cwd(), }); - core.info("Changes pushed to branch"); + core.info("Changes pushed to branch (from bundle)"); - // Count new commits on PR branch relative to base, used to restrict - // the extra empty CI-trigger commit to exactly 1 new commit. + // Count new commits on PR branch relative to base try { const { stdout: countStr } = await exec.getExecOutput("git", ["rev-list", "--count", `origin/${baseBranch}..HEAD`]); newCommitCount = parseInt(countStr.trim(), 10); core.info(`${newCommitCount} new commit(s) on branch relative to origin/${baseBranch}`); } catch { - // Non-fatal - newCommitCount stays 0, extra empty commit will be skipped core.info("Could not count new commits - extra empty commit will be skipped"); } } catch (pushError) { - // Push failed - create fallback issue instead of PR (if fallback is enabled) core.error(`Git push failed: ${pushError instanceof Error ? pushError.message : String(pushError)}`); - if (manifestProtectionFallback) { - // Push failed specifically for a protected-file modification. Don't create - // a generic push-failed issue — fall through to the manifestProtectionFallback - // block below, which will create the proper protected-file review issue with - // patch artifact download instructions (since the branch was not pushed). - core.warning("Git push failed for protected-file modification - deferring to protected-file review issue"); - manifestProtectionPushFailedError = pushError; - } else if (!fallbackAsIssue) { - // Fallback is disabled - return error without creating issue - core.error("fallback-as-issue is disabled - not creating fallback issue"); + if (!fallbackAsIssue) { const error = `Failed to push changes: ${pushError instanceof Error ? pushError.message : String(pushError)}`; - return { - success: false, - error, - error_type: "push_failed", - }; - } else { - core.warning("Git push operation failed - creating fallback issue instead of pull request"); + return { success: false, error, error_type: "push_failed" }; + } - const runUrl = buildWorkflowRunUrl(context, context.repo); - const runId = context.runId; + core.warning("Git push operation failed - creating fallback issue instead of pull request"); - // Read patch content for preview - let patchPreview = ""; - if (patchFilePath && fs.existsSync(patchFilePath)) { - const patchContent = fs.readFileSync(patchFilePath, "utf8"); - patchPreview = generatePatchPreview(patchContent); - } + const runUrl = buildWorkflowRunUrl(context, context.repo); + const runId = context.runId; - const patchFileName = patchFilePath ? patchFilePath.replace("/tmp/gh-aw/", "") : "aw-unknown.patch"; - const fallbackBody = `${body} + const patchFileName = bundleFilePath ? bundleFilePath.replace("/tmp/gh-aw/", "") : "aw-unknown.bundle"; + const fallbackBody = `${body} --- > [!NOTE] > This was originally intended as a pull request, but the git push operation failed. > -> **Workflow Run:** [View run details and download patch artifact](${runUrl}) +> **Workflow Run:** [View run details and download bundle artifact](${runUrl}) > -> The patch file is available in the \`agent\` artifact in the workflow run linked above. +> The bundle file is available in the \`agent\` artifact in the workflow run linked above. To create a pull request with the changes: @@ -875,82 +776,147 @@ To create a pull request with the changes: # Download the artifact from the workflow run gh run download ${runId} -n agent -D /tmp/agent-${runId} -# Create a new branch -git checkout -b ${branchName} - -# Apply the patch (--3way handles cross-repo patches where files may already exist) -git am --3way /tmp/agent-${runId}/${patchFileName} +# Fetch the bundle into a local branch +git fetch /tmp/agent-${runId}/${patchFileName} refs/heads/${bundleBranchRef}:refs/heads/${branchName} +git checkout ${branchName} # Push the branch to origin git push origin ${branchName} # Create the pull request gh pr create --title '${title}' --base ${baseBranch} --head ${branchName} --repo ${repoParts.owner}/${repoParts.repo} -\`\`\` -${patchPreview}`; +\`\`\``; - try { - const { data: issue } = await githubClient.rest.issues.create({ - owner: repoParts.owner, - repo: repoParts.repo, - title: title, - body: fallbackBody, - labels: mergeFallbackIssueLabels(labels), - }); + try { + const { data: issue } = await githubClient.rest.issues.create({ + owner: repoParts.owner, + repo: repoParts.repo, + title: title, + body: fallbackBody, + labels: mergeFallbackIssueLabels(labels), + }); - core.info(`Created fallback issue #${issue.number}: ${issue.html_url}`); + core.info(`Created fallback issue #${issue.number}: ${issue.html_url}`); + await updateActivationComment(github, context, core, issue.html_url, issue.number, "issue"); - // Update the activation comment with issue link (if a comment was created) - // - // NOTE: we pass 'github' (global octokit) instead of githubClient (repo-scoped octokit) because the issue is created - // in the same repo as the activation, so the global client has the correct context for updating the comment. - await updateActivationComment(github, context, core, issue.html_url, issue.number, "issue"); + return { + success: true, + fallback_used: true, + issue_number: issue.number, + issue_url: issue.html_url, + }; + } catch (issueError) { + const error = `Failed to push changes and failed to create fallback issue. Push error: ${pushError instanceof Error ? pushError.message : String(pushError)}. Issue error: ${issueError instanceof Error ? issueError.message : String(issueError)}`; + return { success: false, error }; + } + } + } else { + // Checkout the base branch (using origin/${baseBranch} if local doesn't exist) + try { + await exec.exec(`git checkout ${baseBranch}`); + } catch (checkoutError) { + // If local branch doesn't exist, create it from origin + core.info(`Local branch ${baseBranch} doesn't exist, creating from origin/${baseBranch}`); + await exec.exec(`git checkout -b ${baseBranch} origin/${baseBranch}`); + } - // Write summary to GitHub Actions summary - await core.summary - .addRaw( - ` + // Handle branch creation/checkout + core.info(`Branch should not exist locally, creating new branch from base: ${branchName}`); + await exec.exec(`git checkout -b ${branchName}`); + core.info(`Created new branch from base: ${branchName}`); + + // Apply the patch using git CLI (skip if empty) + if (!isEmpty) { + core.info("Applying patch..."); + const patchLines = patchContent.split("\n"); + const previewLineCount = Math.min(500, patchLines.length); + core.info(`Patch preview (first ${previewLineCount} of ${patchLines.length} lines):`); + for (let i = 0; i < previewLineCount; i++) { + core.info(patchLines[i]); + } -## Push Failure Fallback -- **Push Error:** ${pushError instanceof Error ? pushError.message : String(pushError)} -- **Fallback Issue:** [#${issue.number}](${issue.html_url}) -- **Patch Artifact:** Available in workflow run artifacts -- **Note:** Push failed, created issue as fallback -` - ) - .write(); + // Patches are created with git format-patch, so use git am to apply them + // Use --3way to handle cross-repo patches where the patch base may differ from target repo + // This allows git to resolve create-vs-modify mismatches when a file exists in target but not source + let patchApplied = false; + try { + await exec.exec("git", ["am", "--3way", patchFilePath]); + core.info("Patch applied successfully"); + patchApplied = true; + } catch (patchError) { + core.error(`Failed to apply patch with --3way: ${patchError instanceof Error ? patchError.message : String(patchError)}`); - return { - success: true, - fallback_used: true, - push_failed: true, - issue_number: issue.number, - issue_url: issue.html_url, - branch_name: branchName, - repo: itemRepo, - }; - } catch (issueError) { - const error = `Failed to push and failed to create fallback issue. Push error: ${pushError instanceof Error ? pushError.message : String(pushError)}. Issue error: ${issueError instanceof Error ? issueError.message : String(issueError)}`; - core.error(error); - return { - success: false, - error, - }; + // Investigate why the patch failed by logging git status and the failed patch + try { + core.info("Investigating patch failure..."); + + // Log git status to see the current state + const statusResult = await exec.getExecOutput("git", ["status"]); + core.info("Git status output:"); + core.info(statusResult.stdout); + + // Log the failed patch diff + const patchResult = await exec.getExecOutput("git", ["am", "--show-current-patch=diff"]); + core.info("Failed patch content:"); + core.info(patchResult.stdout); + } catch (investigateError) { + core.warning(`Failed to investigate patch failure: ${investigateError instanceof Error ? investigateError.message : String(investigateError)}`); } - } // end else (generic push-failed fallback) - } - } else { - core.info("Skipping patch application (empty patch)"); - // For empty patches with allow-empty, we still need to push the branch - if (allowEmpty) { - core.info("allow-empty is enabled - will create branch and push with empty commit"); - // Push the branch with an empty commit to allow PR creation - try { - // Create an empty commit to ensure there's a commit difference - await exec.exec(`git commit --allow-empty -m "Initialize"`); - core.info("Created empty commit"); + // Abort the failed git am before attempting any fallback + try { + await exec.exec("git am --abort"); + core.info("Aborted failed git am"); + } catch (abortError) { + core.warning(`Failed to abort git am: ${abortError instanceof Error ? abortError.message : String(abortError)}`); + } + + // Fallback (Option 1): create the PR branch at the original base commit so the PR + // can still be created. GitHub will show the merge conflicts, allowing manual resolution. + // This handles the case where the target branch received intervening commits after + // the patch was generated, making --3way unable to resolve the conflicts automatically. + core.info("Attempting fallback: create PR branch at original base commit..."); + try { + // Use the base commit recorded at patch generation time. + // The From header in format-patch output contains the agent's new commit SHA + // which does not exist in this checkout, so we cannot derive the base from it. + const originalBaseCommit = pullRequestItem.base_commit; + if (!originalBaseCommit) { + core.warning("No base_commit recorded in safe output entry - fallback not possible"); + } else { + core.info(`Original base commit from patch generation: ${originalBaseCommit}`); + + // Verify the base commit is available in this repo (may not exist cross-repo) + await exec.exec("git", ["cat-file", "-e", originalBaseCommit]); + core.info("Original base commit exists locally - proceeding with fallback"); + + // Re-create the PR branch at the original base commit + await exec.exec(`git checkout ${baseBranch}`); + try { + await exec.exec(`git branch -D ${branchName}`); + } catch { + // Branch may not exist yet, ignore + } + await exec.exec(`git checkout -b ${branchName} ${originalBaseCommit}`); + core.info(`Created branch ${branchName} at original base commit ${originalBaseCommit}`); + + // Apply the patch without --3way; we are on the correct base so it should apply cleanly + await exec.exec(`git am ${patchFilePath}`); + core.info("Patch applied successfully at original base commit"); + core.warning(`PR branch ${branchName} is based on an earlier commit than the current ${baseBranch} HEAD. The pull request will show merge conflicts that require manual resolution.`); + patchApplied = true; + } + } catch (fallbackError) { + core.warning(`Fallback to original base commit failed: ${fallbackError instanceof Error ? fallbackError.message : String(fallbackError)}`); + } + + if (!patchApplied) { + return { success: false, error: "Failed to apply patch" }; + } + } + // Push the applied commits to the branch (with fallback to issue creation on failure) + try { // Check if remote branch already exists (optional precheck) let remoteBranchExists = false; try { @@ -980,9 +946,10 @@ ${patchPreview}`; baseRef: `origin/${baseBranch}`, cwd: process.cwd(), }); - core.info("Empty branch pushed successfully"); + core.info("Changes pushed to branch"); - // Count new commits (will be 1 from the Initialize commit) + // Count new commits on PR branch relative to base, used to restrict + // the extra empty CI-trigger commit to exactly 1 new commit. try { const { stdout: countStr } = await exec.getExecOutput("git", ["rev-list", "--count", `origin/${baseBranch}..HEAD`]); newCommitCount = parseInt(countStr.trim(), 10); @@ -992,32 +959,200 @@ ${patchPreview}`; core.info("Could not count new commits - extra empty commit will be skipped"); } } catch (pushError) { - const error = `Failed to push empty branch: ${pushError instanceof Error ? pushError.message : String(pushError)}`; - core.error(error); - return { - success: false, - error, - }; + // Push failed - create fallback issue instead of PR (if fallback is enabled) + core.error(`Git push failed: ${pushError instanceof Error ? pushError.message : String(pushError)}`); + + if (manifestProtectionFallback) { + // Push failed specifically for a protected-file modification. Don't create + // a generic push-failed issue — fall through to the manifestProtectionFallback + // block below, which will create the proper protected-file review issue with + // patch artifact download instructions (since the branch was not pushed). + core.warning("Git push failed for protected-file modification - deferring to protected-file review issue"); + manifestProtectionPushFailedError = pushError; + } else if (!fallbackAsIssue) { + // Fallback is disabled - return error without creating issue + core.error("fallback-as-issue is disabled - not creating fallback issue"); + const error = `Failed to push changes: ${pushError instanceof Error ? pushError.message : String(pushError)}`; + return { + success: false, + error, + error_type: "push_failed", + }; + } else { + core.warning("Git push operation failed - creating fallback issue instead of pull request"); + + const runUrl = buildWorkflowRunUrl(context, context.repo); + const runId = context.runId; + + // Read patch content for preview + let patchPreview = ""; + if (patchFilePath && fs.existsSync(patchFilePath)) { + const patchContent = fs.readFileSync(patchFilePath, "utf8"); + patchPreview = generatePatchPreview(patchContent); + } + + const patchFileName = patchFilePath ? patchFilePath.replace("/tmp/gh-aw/", "") : "aw-unknown.patch"; + const fallbackBody = `${body} + +--- + +> [!NOTE] +> This was originally intended as a pull request, but the git push operation failed. +> +> **Workflow Run:** [View run details and download patch artifact](${runUrl}) +> +> The patch file is available in the \`agent\` artifact in the workflow run linked above. + +To create a pull request with the changes: + +\`\`\`sh +# Download the artifact from the workflow run +gh run download ${runId} -n agent -D /tmp/agent-${runId} + +# Create a new branch +git checkout -b ${branchName} + +# Apply the patch (--3way handles cross-repo patches where files may already exist) +git am --3way /tmp/agent-${runId}/${patchFileName} + +# Push the branch to origin +git push origin ${branchName} + +# Create the pull request +gh pr create --title '${title}' --base ${baseBranch} --head ${branchName} --repo ${repoParts.owner}/${repoParts.repo} +\`\`\` +${patchPreview}`; + + try { + const { data: issue } = await githubClient.rest.issues.create({ + owner: repoParts.owner, + repo: repoParts.repo, + title: title, + body: fallbackBody, + labels: mergeFallbackIssueLabels(labels), + }); + + core.info(`Created fallback issue #${issue.number}: ${issue.html_url}`); + + // Update the activation comment with issue link (if a comment was created) + // + // NOTE: we pass 'github' (global octokit) instead of githubClient (repo-scoped octokit) because the issue is created + // in the same repo as the activation, so the global client has the correct context for updating the comment. + await updateActivationComment(github, context, core, issue.html_url, issue.number, "issue"); + + // Write summary to GitHub Actions summary + await core.summary + .addRaw( + ` + +## Push Failure Fallback +- **Push Error:** ${pushError instanceof Error ? pushError.message : String(pushError)} +- **Fallback Issue:** [#${issue.number}](${issue.html_url}) +- **Patch Artifact:** Available in workflow run artifacts +- **Note:** Push failed, created issue as fallback +` + ) + .write(); + + return { + success: true, + fallback_used: true, + push_failed: true, + issue_number: issue.number, + issue_url: issue.html_url, + branch_name: branchName, + repo: itemRepo, + }; + } catch (issueError) { + const error = `Failed to push and failed to create fallback issue. Push error: ${pushError instanceof Error ? pushError.message : String(pushError)}. Issue error: ${issueError instanceof Error ? issueError.message : String(issueError)}`; + core.error(error); + return { + success: false, + error, + }; + } + } // end else (generic push-failed fallback) } } else { - // For empty patches without allow-empty, handle if-no-changes configuration - const message = "No changes to apply - noop operation completed successfully"; + core.info("Skipping patch application (empty patch)"); - switch (ifNoChanges) { - case "error": - return { success: false, error: "No changes to apply - failing as configured by if-no-changes: error" }; + // For empty patches with allow-empty, we still need to push the branch + if (allowEmpty) { + core.info("allow-empty is enabled - will create branch and push with empty commit"); + // Push the branch with an empty commit to allow PR creation + try { + // Create an empty commit to ensure there's a commit difference + await exec.exec(`git commit --allow-empty -m "Initialize"`); + core.info("Created empty commit"); - case "ignore": - // Silent success - no console output - return { success: false, skipped: true }; + // Check if remote branch already exists (optional precheck) + let remoteBranchExists = false; + try { + const { stdout } = await exec.getExecOutput(`git ls-remote --heads origin ${branchName}`); + if (stdout.trim()) { + remoteBranchExists = true; + } + } catch (checkError) { + core.info(`Remote branch check failed (non-fatal): ${checkError instanceof Error ? checkError.message : String(checkError)}`); + } - case "warn": - default: - core.warning(message); - return { success: false, error: message, skipped: true }; + if (remoteBranchExists) { + core.warning(`Remote branch ${branchName} already exists - appending random suffix`); + const extraHex = crypto.randomBytes(4).toString("hex"); + const oldBranch = branchName; + branchName = `${branchName}-${extraHex}`; + // Rename local branch + await exec.exec(`git branch -m ${oldBranch} ${branchName}`); + core.info(`Renamed branch to ${branchName}`); + } + + await pushSignedCommits({ + githubClient, + owner: repoParts.owner, + repo: repoParts.repo, + branch: branchName, + baseRef: `origin/${baseBranch}`, + cwd: process.cwd(), + }); + core.info("Empty branch pushed successfully"); + + // Count new commits (will be 1 from the Initialize commit) + try { + const { stdout: countStr } = await exec.getExecOutput("git", ["rev-list", "--count", `origin/${baseBranch}..HEAD`]); + newCommitCount = parseInt(countStr.trim(), 10); + core.info(`${newCommitCount} new commit(s) on branch relative to origin/${baseBranch}`); + } catch { + // Non-fatal - newCommitCount stays 0, extra empty commit will be skipped + core.info("Could not count new commits - extra empty commit will be skipped"); + } + } catch (pushError) { + const error = `Failed to push empty branch: ${pushError instanceof Error ? pushError.message : String(pushError)}`; + core.error(error); + return { + success: false, + error, + }; + } + } else { + // For empty patches without allow-empty, handle if-no-changes configuration + const message = "No changes to apply - noop operation completed successfully"; + + switch (ifNoChanges) { + case "error": + return { success: false, error: "No changes to apply - failing as configured by if-no-changes: error" }; + + case "ignore": + // Silent success - no console output + return { success: false, skipped: true }; + + case "warn": + default: + core.warning(message); + return { success: false, error: message, skipped: true }; + } } - } - } + } // end if (!isEmpty) / else patch application block + } // end else (!hasBundleFile - patch path) // Protected file protection – fallback-to-issue path: // The patch has been applied (and pushed, unless manifestProtectionPushFailedError is set). diff --git a/actions/setup/js/generate_git_bundle.cjs b/actions/setup/js/generate_git_bundle.cjs new file mode 100644 index 00000000000..c254439f892 --- /dev/null +++ b/actions/setup/js/generate_git_bundle.cjs @@ -0,0 +1,400 @@ +// @ts-check +/// + +// SEC-005: This module generates git bundles via git CLI commands and does not make +// GitHub API calls using a user-supplied target repository. The "target repo" references +// in documentation describe cross-repo checkout scenarios only; no validateTargetRepo +// allowlist check is required in this handler. + +const fs = require("fs"); +const path = require("path"); + +const { getErrorMessage } = require("./error_helpers.cjs"); +const { execGitSync, getGitAuthEnv } = require("./git_helpers.cjs"); +const { ERR_SYSTEM } = require("./error_codes.cjs"); + +/** + * Debug logging helper - logs to stderr when DEBUG env var matches + * @param {string} message - Debug message to log + */ +function debugLog(message) { + const debug = process.env.DEBUG || ""; + if (debug === "*" || debug.includes("generate_git_bundle") || debug.includes("bundle")) { + console.error(`[generate_git_bundle] ${message}`); + } +} + +/** + * Sanitize a string for use as a bundle filename component. + * Replaces path separators and special characters with dashes. + * @param {string} value - The value to sanitize + * @param {string} fallback - Fallback value when input is empty or nullish + * @returns {string} The sanitized string safe for use in a filename + */ +function sanitizeForFilename(value, fallback) { + if (!value) return fallback; + return value + .replace(/[/\\:*?"<>|]/g, "-") + .replace(/-{2,}/g, "-") + .replace(/^-|-$/g, "") + .toLowerCase(); +} + +/** + * Sanitize a branch name for use as a bundle filename + * @param {string} branchName - The branch name to sanitize + * @returns {string} The sanitized branch name safe for use in a filename + */ +function sanitizeBranchNameForBundle(branchName) { + return sanitizeForFilename(branchName, "unknown"); +} + +/** + * Get the bundle file path for a given branch name + * @param {string} branchName - The branch name + * @returns {string} The full bundle file path + */ +function getBundlePath(branchName) { + const sanitized = sanitizeBranchNameForBundle(branchName); + return `/tmp/gh-aw/aw-${sanitized}.bundle`; +} + +/** + * Sanitize a repo slug for use in a filename + * @param {string} repoSlug - The repo slug (owner/repo) + * @returns {string} The sanitized slug safe for use in a filename + */ +function sanitizeRepoSlugForBundle(repoSlug) { + return sanitizeForFilename(repoSlug, ""); +} + +/** + * Get the bundle file path for a given branch name and repo slug + * Used for multi-repo scenarios to prevent bundle file collisions + * @param {string} branchName - The branch name + * @param {string} repoSlug - The repository slug (owner/repo) + * @returns {string} The full bundle file path including repo disambiguation + */ +function getBundlePathForRepo(branchName, repoSlug) { + const sanitizedBranch = sanitizeBranchNameForBundle(branchName); + const sanitizedRepo = sanitizeRepoSlugForBundle(repoSlug); + return `/tmp/gh-aw/aw-${sanitizedRepo}-${sanitizedBranch}.bundle`; +} + +/** + * Generates a git bundle file for the current changes. + * Bundle transport preserves merge commit topology and per-commit metadata, + * unlike format-patch which loses merge resolution content. + * + * @param {string} branchName - The branch name to generate bundle for + * @param {string} baseBranch - The base branch to diff against (e.g., "main", "master") + * @param {Object} [options] - Optional parameters + * @param {string} [options.mode="full"] - Bundle generation mode: + * - "full": Include all commits since merge-base with default branch (for create_pull_request) + * - "incremental": Only include commits since origin/branchName (for push_to_pull_request_branch) + * In incremental mode, origin/branchName is fetched explicitly and merge-base fallback is disabled. + * @param {string} [options.cwd] - Working directory for git commands. Defaults to GITHUB_WORKSPACE or process.cwd(). + * Use this for multi-repo scenarios where repos are checked out to subdirectories. + * @param {string} [options.repoSlug] - Repository slug (owner/repo) to include in bundle filename for disambiguation. + * Required for multi-repo scenarios to prevent bundle file collisions. + * @param {string} [options.token] - GitHub token for git authentication. Falls back to GITHUB_TOKEN env var. + * Use this for cross-repo scenarios where a custom PAT with access to the target repo is needed. + * @returns {Promise} Object with bundle info or error + */ +async function generateGitBundle(branchName, baseBranch, options = {}) { + const mode = options.mode || "full"; + // Support custom cwd for multi-repo scenarios + const cwd = options.cwd || process.env.GITHUB_WORKSPACE || process.cwd(); + + const bundlePath = options.repoSlug ? getBundlePathForRepo(branchName, options.repoSlug) : getBundlePath(branchName); + + // Validate baseBranch early to avoid confusing git errors (e.g., origin/undefined) + if (typeof baseBranch !== "string" || baseBranch.trim() === "") { + const errorMessage = "baseBranch is required and must be a non-empty string (received: " + String(baseBranch) + ")"; + debugLog(`Invalid baseBranch: ${errorMessage}`); + return { + bundlePath, + bundleGenerated: false, + errorMessage, + }; + } + + const defaultBranch = baseBranch; + const githubSha = process.env.GITHUB_SHA; + + debugLog(`Starting bundle generation: mode=${mode}, branch=${branchName}, defaultBranch=${defaultBranch}`); + debugLog(`Environment: cwd=${cwd}, GITHUB_SHA=${githubSha || "(not set)"}`); + + // Ensure /tmp/gh-aw directory exists + const bundleDir = path.dirname(bundlePath); + if (!fs.existsSync(bundleDir)) { + fs.mkdirSync(bundleDir, { recursive: true }); + } + + let bundleGenerated = false; + let errorMessage = null; + let baseCommitSha = null; + + try { + // Strategy 1: If we have a branch name, check if that branch exists and create bundle + if (branchName) { + debugLog(`Strategy 1: Checking if branch '${branchName}' exists locally`); + try { + execGitSync(["show-ref", "--verify", "--quiet", `refs/heads/${branchName}`], { cwd }); + debugLog(`Strategy 1: Branch '${branchName}' exists locally`); + + // Determine base ref for bundle generation + let baseRef; + + if (mode === "incremental") { + // INCREMENTAL MODE (for push_to_pull_request_branch): + // Only include commits that are new since origin/branchName. + debugLog(`Strategy 1 (incremental): Fetching origin/${branchName}`); + const fetchEnv = { ...process.env, ...getGitAuthEnv(options.token) }; + + try { + execGitSync(["fetch", "origin", "--", `${branchName}:refs/remotes/origin/${branchName}`], { cwd, env: fetchEnv }); + baseRef = `origin/${branchName}`; + debugLog(`Strategy 1 (incremental): Successfully fetched, baseRef=${baseRef}`); + } catch (fetchError) { + debugLog(`Strategy 1 (incremental): Fetch failed - ${getErrorMessage(fetchError)}, checking for existing remote tracking ref`); + try { + execGitSync(["show-ref", "--verify", "--quiet", `refs/remotes/origin/${branchName}`], { cwd }); + baseRef = `origin/${branchName}`; + debugLog(`Strategy 1 (incremental): Using existing remote tracking ref as fallback, baseRef=${baseRef}`); + } catch (refCheckError) { + debugLog(`Strategy 1 (incremental): No existing remote tracking ref found (${getErrorMessage(refCheckError)}), failing`); + errorMessage = `Cannot generate incremental bundle: failed to fetch origin/${branchName} and no existing remote tracking ref found. Fetch error: ${getErrorMessage(fetchError)}`; + return { + success: false, + error: errorMessage, + bundlePath, + }; + } + } + } else { + // FULL MODE (for create_pull_request): + // Include all commits since merge-base with default branch. + debugLog(`Strategy 1 (full): Checking if origin/${branchName} exists`); + try { + execGitSync(["show-ref", "--verify", "--quiet", `refs/remotes/origin/${branchName}`], { cwd }); + baseRef = `origin/${branchName}`; + debugLog(`Strategy 1 (full): Using existing origin/${branchName} as baseRef`); + } catch { + debugLog(`Strategy 1 (full): origin/${branchName} not found, trying merge-base with ${defaultBranch}`); + let hasLocalDefaultBranch = false; + try { + execGitSync(["show-ref", "--verify", "--quiet", `refs/remotes/origin/${defaultBranch}`], { cwd }); + hasLocalDefaultBranch = true; + debugLog(`Strategy 1 (full): origin/${defaultBranch} exists locally`); + } catch { + debugLog(`Strategy 1 (full): origin/${defaultBranch} not found locally, attempting fetch`); + try { + const fullFetchEnv = { ...process.env, ...getGitAuthEnv(options.token) }; + execGitSync(["fetch", "origin", "--", defaultBranch], { cwd, env: fullFetchEnv }); + hasLocalDefaultBranch = true; + debugLog(`Strategy 1 (full): Successfully fetched origin/${defaultBranch}`); + } catch (fetchErr) { + debugLog(`Strategy 1 (full): Fetch failed - ${getErrorMessage(fetchErr)} (will try other strategies)`); + } + } + + if (hasLocalDefaultBranch) { + baseRef = execGitSync(["merge-base", "--", `origin/${defaultBranch}`, branchName], { cwd }).trim(); + debugLog(`Strategy 1 (full): Computed merge-base: ${baseRef}`); + } else { + debugLog(`Strategy 1 (full): No remote refs available, falling through to Strategy 2`); + throw new Error(`${ERR_SYSTEM}: No remote refs available for merge-base calculation`); + } + } + } + + // Resolve baseRef to a SHA + baseCommitSha = execGitSync(["rev-parse", baseRef], { cwd }).trim(); + debugLog(`Strategy 1: Resolved baseRef ${baseRef} to SHA ${baseCommitSha}`); + + // Count commits to be included + const commitCount = parseInt(execGitSync(["rev-list", "--count", `${baseRef}..${branchName}`], { cwd }).trim(), 10); + debugLog(`Strategy 1: Found ${commitCount} commits between ${baseRef} and ${branchName}`); + + if (commitCount > 0) { + // Generate bundle from the determined base to the branch + // git bundle create creates a bundle with the commit range + execGitSync(["bundle", "create", bundlePath, `${baseRef}..${branchName}`], { cwd }); + + if (fs.existsSync(bundlePath)) { + const stat = fs.statSync(bundlePath); + if (stat.size > 0) { + bundleGenerated = true; + debugLog(`Strategy 1: SUCCESS - Generated bundle of ${stat.size} bytes`); + } + } + } else if (mode === "incremental") { + // In incremental mode, zero commits means nothing new to push + return { + success: false, + error: "No new commits to push - your changes may already be on the remote branch", + bundlePath, + bundleSize: 0, + }; + } + } catch (branchError) { + // Branch does not exist locally + debugLog(`Strategy 1: Branch '${branchName}' does not exist locally - ${getErrorMessage(branchError)}`); + if (mode === "incremental") { + return { + success: false, + error: `Branch ${branchName} does not exist locally. Cannot generate incremental bundle.`, + bundlePath, + }; + } + } + } + + // Strategy 2: Check if commits were made to current HEAD since checkout + if (!bundleGenerated) { + debugLog(`Strategy 2: Checking commits since GITHUB_SHA`); + const currentHead = execGitSync(["rev-parse", "HEAD"], { cwd }).trim(); + debugLog(`Strategy 2: currentHead=${currentHead}, GITHUB_SHA=${githubSha || "(not set)"}`); + + if (!githubSha) { + debugLog(`Strategy 2: GITHUB_SHA not set, cannot use this strategy`); + errorMessage = "GITHUB_SHA environment variable is not set"; + } else if (currentHead === githubSha) { + debugLog(`Strategy 2: HEAD equals GITHUB_SHA - no new commits`); + } else { + let shaExistsInRepo = false; + try { + execGitSync(["cat-file", "-e", githubSha], { cwd }); + shaExistsInRepo = true; + debugLog(`Strategy 2: GITHUB_SHA exists in this repo`); + } catch { + debugLog(`Strategy 2: GITHUB_SHA not found in repo (cross-repo checkout?)`); + } + + if (shaExistsInRepo) { + try { + execGitSync(["merge-base", "--is-ancestor", githubSha, "HEAD"], { cwd }); + debugLog(`Strategy 2: GITHUB_SHA is an ancestor of HEAD`); + + baseCommitSha = githubSha; + + const commitCount = parseInt(execGitSync(["rev-list", "--count", `${githubSha}..HEAD`], { cwd }).trim(), 10); + debugLog(`Strategy 2: Found ${commitCount} commits between GITHUB_SHA and HEAD`); + + if (commitCount > 0) { + execGitSync(["bundle", "create", bundlePath, `${githubSha}..HEAD`], { cwd }); + + if (fs.existsSync(bundlePath)) { + const stat = fs.statSync(bundlePath); + if (stat.size > 0) { + bundleGenerated = true; + debugLog(`Strategy 2: SUCCESS - Generated bundle of ${stat.size} bytes`); + } + } + } + } catch (ancestorErr) { + debugLog(`Strategy 2: GITHUB_SHA is not an ancestor of HEAD - ${getErrorMessage(ancestorErr)}`); + } + } + } + } + + // Strategy 3: Cross-repo fallback - find commits not reachable from any remote ref + if (!bundleGenerated && branchName) { + debugLog(`Strategy 3: Cross-repo fallback - finding commits not reachable from remote refs`); + try { + const remoteRefsOutput = execGitSync(["for-each-ref", "--format=%(refname)", "refs/remotes/"], { cwd }).trim(); + + if (remoteRefsOutput) { + const remoteRefs = remoteRefsOutput.split("\n").filter(r => r); + debugLog(`Strategy 3: Found ${remoteRefs.length} remote refs`); + + if (remoteRefs.length > 0) { + const remoteExcludeArgs = remoteRefs.flatMap(ref => ["--not", ref]); + const revListArgs = ["rev-list", "--count", branchName, ...remoteExcludeArgs]; + + const commitCount = parseInt(execGitSync(revListArgs, { cwd }).trim(), 10); + debugLog(`Strategy 3: Found ${commitCount} commits not reachable from any remote ref`); + + if (commitCount > 0) { + let baseCommit; + for (const ref of remoteRefs) { + try { + baseCommit = execGitSync(["merge-base", ref, branchName], { cwd }).trim(); + if (baseCommit) { + debugLog(`Strategy 3: Found merge-base ${baseCommit} with ref ${ref}`); + break; + } + } catch { + // Try next ref + } + } + + if (baseCommit) { + baseCommitSha = baseCommit; + execGitSync(["bundle", "create", bundlePath, `${baseCommit}..${branchName}`], { cwd }); + + if (fs.existsSync(bundlePath)) { + const stat = fs.statSync(bundlePath); + if (stat.size > 0) { + bundleGenerated = true; + debugLog(`Strategy 3: SUCCESS - Generated bundle of ${stat.size} bytes`); + } + } + } else { + debugLog(`Strategy 3: Could not find merge-base with any remote ref`); + } + } + } + } else { + debugLog(`Strategy 3: No remote refs found`); + } + } catch (strategy3Err) { + debugLog(`Strategy 3: Failed - ${getErrorMessage(strategy3Err)}`); + } + } + } catch (error) { + errorMessage = `Failed to generate bundle: ${getErrorMessage(error)}`; + } + + // Check if bundle was generated and has content + if (bundleGenerated && fs.existsSync(bundlePath)) { + const stat = fs.statSync(bundlePath); + const bundleSize = stat.size; + + if (bundleSize === 0) { + debugLog(`Final: Bundle file exists but is empty`); + return { + success: false, + error: "No changes to commit - bundle is empty", + bundlePath, + bundleSize: 0, + }; + } + + debugLog(`Final: SUCCESS - bundleSize=${bundleSize} bytes, baseCommit=${baseCommitSha || "(unknown)"}`); + return { + success: true, + bundlePath, + bundleSize, + baseCommit: baseCommitSha, + }; + } + + // No bundle generated + debugLog(`Final: FAILED - ${errorMessage || "No changes to commit - no commits found"}`); + return { + success: false, + error: errorMessage || "No changes to commit - no commits found", + bundlePath, + }; +} + +module.exports = { + generateGitBundle, + getBundlePath, + getBundlePathForRepo, + sanitizeBranchNameForBundle, + sanitizeRepoSlugForBundle, +}; diff --git a/actions/setup/js/push_to_pull_request_branch.cjs b/actions/setup/js/push_to_pull_request_branch.cjs index 02edf8f0244..77d08b35097 100644 --- a/actions/setup/js/push_to_pull_request_branch.cjs +++ b/actions/setup/js/push_to_pull_request_branch.cjs @@ -102,8 +102,17 @@ async function main(config = {}) { const patchFilePath = message.patch_path; core.info(`Patch file path: ${patchFilePath || "(not set)"}`); + // Determine the bundle file path from the message (set when patch-format: bundle is configured) + const bundleFilePath = message.bundle_path; + if (bundleFilePath) { + core.info(`Bundle file path: ${bundleFilePath}`); + } + + // Check if bundle or patch file exists + const hasBundleFile = !!(bundleFilePath && fs.existsSync(bundleFilePath)); + // Check if patch file exists and has valid content - if (!patchFilePath || !fs.existsSync(patchFilePath)) { + if (!hasBundleFile && (!patchFilePath || !fs.existsSync(patchFilePath))) { const msg = "No patch file found - cannot push without changes"; switch (ifNoChanges) { @@ -118,23 +127,32 @@ async function main(config = {}) { } } - const patchContent = fs.readFileSync(patchFilePath, "utf8"); - - // Check for actual error conditions - if (patchContent.includes("Failed to generate patch")) { - const msg = "Patch file contains error message - cannot push without changes"; - core.error("Patch file generation failed"); - core.error(`Patch file location: ${patchFilePath}`); - core.error(`Patch file size: ${Buffer.byteLength(patchContent, "utf8")} bytes`); - const previewLength = Math.min(500, patchContent.length); - core.error(`Patch file preview (first ${previewLength} characters):`); - core.error(patchContent.substring(0, previewLength)); - return { success: false, error: msg }; - } + // For bundle transport, there is no patch content to read/validate. + // The bundle file itself is the transport artifact. + let patchContent = ""; + let isEmpty; - // Validate patch size (unless empty) - const isEmpty = !patchContent || !patchContent.trim(); - if (!isEmpty) { + if (hasBundleFile) { + // Bundle transport: treat as non-empty (the bundle contains commits) + isEmpty = false; + } else { + patchContent = fs.readFileSync(patchFilePath, "utf8"); + + // Check for actual error conditions + if (patchContent.includes("Failed to generate patch")) { + const msg = "Patch file contains error message - cannot push without changes"; + core.error("Patch file generation failed"); + core.error(`Patch file location: ${patchFilePath}`); + core.error(`Patch file size: ${Buffer.byteLength(patchContent, "utf8")} bytes`); + const previewLength = Math.min(500, patchContent.length); + core.error(`Patch file preview (first ${previewLength} characters):`); + core.error(patchContent.substring(0, previewLength)); + return { success: false, error: msg }; + } + + isEmpty = !patchContent || !patchContent.trim(); + } + if (!hasBundleFile && !isEmpty) { const patchSizeBytes = Buffer.byteLength(patchContent, "utf8"); const patchSizeKb = Math.ceil(patchSizeBytes / 1024); @@ -464,83 +482,115 @@ async function main(config = {}) { return { success: false, error: `Failed to checkout branch ${branchName}: ${checkoutError instanceof Error ? checkoutError.message : String(checkoutError)}` }; } - // Apply the patch using git CLI (skip if empty) + // Apply the patch/bundle using git CLI (skip if empty) // Track number of new commits added so we can restrict the extra empty commit // to branches with exactly one new commit (security: prevents use of CI trigger // token on multi-commit branches where workflow files may have been modified). let newCommitCount = 0; let remoteHeadBeforePatch = ""; if (hasChanges) { - core.info("Applying patch..."); + // Capture HEAD before applying changes to compute new-commit count later try { - if (commitTitleSuffix) { - core.info(`Appending commit title suffix: "${commitTitleSuffix}"`); - - // Read the patch file - let patchContent = fs.readFileSync(patchFilePath, "utf8"); - - // Modify Subject lines in the patch to append the suffix - patchContent = patchContent.replace(/^Subject: (?:\[PATCH\] )?(.*)$/gm, (match, title) => `Subject: [PATCH] ${title}${commitTitleSuffix}`); - - // Write the modified patch back - fs.writeFileSync(patchFilePath, patchContent, "utf8"); - core.info(`Patch modified with commit title suffix: "${commitTitleSuffix}"`); - } - - // Log first 100 lines of patch for debugging - const finalPatchContent = fs.readFileSync(patchFilePath, "utf8"); - const patchLines = finalPatchContent.split("\n"); - const previewLineCount = Math.min(100, patchLines.length); - core.info(`Patch preview (first ${previewLineCount} of ${patchLines.length} lines):`); - for (let i = 0; i < previewLineCount; i++) { - core.info(patchLines[i]); - } + const { stdout } = await exec.getExecOutput("git", ["rev-parse", "HEAD"]); + remoteHeadBeforePatch = stdout.trim(); + } catch { + // Non-fatal - extra empty commit will be skipped + } - // Apply patch - // Capture HEAD before applying patch to compute new-commit count later + if (hasBundleFile) { + // Bundle transport: fetch commits directly from the bundle file. + // This preserves merge commit topology and per-commit metadata. + core.info(`Applying changes from bundle: ${bundleFilePath}`); + const bundleRef = `refs/bundles/push-${branchName.replace(/[^a-zA-Z0-9-]/g, "-")}`; try { - const { stdout } = await exec.getExecOutput("git", ["rev-parse", "HEAD"]); - remoteHeadBeforePatch = stdout.trim(); - } catch { - // Non-fatal - extra empty commit will be skipped + // Fetch from bundle into a temporary ref + await exec.exec("git", ["fetch", bundleFilePath, `refs/heads/${message.branch}:${bundleRef}`]); + core.info(`Fetched bundle to ${bundleRef}`); + + // Fast-forward the current branch to the bundle tip + await exec.exec("git", ["merge", "--ff-only", bundleRef]); + core.info("Fast-forwarded branch to bundle tip"); + + // Clean up the temporary ref + try { + await exec.exec("git", ["update-ref", "-d", bundleRef]); + } catch { + // Non-fatal cleanup + } + } catch (bundleError) { + core.error(`Failed to apply bundle: ${bundleError instanceof Error ? bundleError.message : String(bundleError)}`); + // Clean up temp ref if it exists + try { + await exec.exec("git", ["update-ref", "-d", bundleRef]); + } catch { + // Ignore + } + return { success: false, error: "Failed to apply bundle" }; } - - // Use --3way to handle cross-repo patches where the patch base may differ from target repo - // This allows git to resolve create-vs-modify mismatches when a file exists in target but not source - await exec.exec(`git am --3way ${patchFilePath}`); - core.info("Patch applied successfully"); - } catch (error) { - core.error(`Failed to apply patch: ${getErrorMessage(error)}`); - - // Investigate patch failure + } else { + // Patch transport (default): git am --3way + core.info("Applying patch..."); try { - core.info("Investigating patch failure..."); + if (commitTitleSuffix) { + core.info(`Appending commit title suffix: "${commitTitleSuffix}"`); - const statusResult = await exec.getExecOutput("git", ["status"]); - core.info("Git status output:"); - core.info(statusResult.stdout); + // Read the patch file + let patchContent = fs.readFileSync(patchFilePath, "utf8"); - const logResult = await exec.getExecOutput("git", ["log", "--oneline", "-5"]); - core.info("Recent commits (last 5):"); - core.info(logResult.stdout); + // Modify Subject lines in the patch to append the suffix + patchContent = patchContent.replace(/^Subject: (?:\[PATCH\] )?(.*)$/gm, (match, title) => `Subject: [PATCH] ${title}${commitTitleSuffix}`); - const diffResult = await exec.getExecOutput("git", ["diff", "HEAD"]); - core.info("Uncommitted changes:"); - core.info(diffResult.stdout && diffResult.stdout.trim() ? diffResult.stdout : "(no uncommitted changes)"); + // Write the modified patch back + fs.writeFileSync(patchFilePath, patchContent, "utf8"); + core.info(`Patch modified with commit title suffix: "${commitTitleSuffix}"`); + } - const patchDiffResult = await exec.getExecOutput("git", ["am", "--show-current-patch=diff"]); - core.info("Failed patch diff:"); - core.info(patchDiffResult.stdout); + // Log first 100 lines of patch for debugging + const finalPatchContent = fs.readFileSync(patchFilePath, "utf8"); + const patchLines = finalPatchContent.split("\n"); + const previewLineCount = Math.min(100, patchLines.length); + core.info(`Patch preview (first ${previewLineCount} of ${patchLines.length} lines):`); + for (let i = 0; i < previewLineCount; i++) { + core.info(patchLines[i]); + } - const patchFullResult = await exec.getExecOutput("git", ["am", "--show-current-patch"]); - core.info("Failed patch (full):"); - core.info(patchFullResult.stdout); - } catch (investigateError) { - core.warning(`Failed to investigate patch failure: ${investigateError instanceof Error ? investigateError.message : String(investigateError)}`); - } + // Use --3way to handle cross-repo patches where the patch base may differ from target repo + // This allows git to resolve create-vs-modify mismatches when a file exists in target but not source + await exec.exec(`git am --3way ${patchFilePath}`); + core.info("Patch applied successfully"); + } catch (error) { + core.error(`Failed to apply patch: ${getErrorMessage(error)}`); + + // Investigate patch failure + try { + core.info("Investigating patch failure..."); + + const statusResult = await exec.getExecOutput("git", ["status"]); + core.info("Git status output:"); + core.info(statusResult.stdout); + + const logResult = await exec.getExecOutput("git", ["log", "--oneline", "-5"]); + core.info("Recent commits (last 5):"); + core.info(logResult.stdout); + + const diffResult = await exec.getExecOutput("git", ["diff", "HEAD"]); + core.info("Uncommitted changes:"); + core.info(diffResult.stdout && diffResult.stdout.trim() ? diffResult.stdout : "(no uncommitted changes)"); + + const patchDiffResult = await exec.getExecOutput("git", ["am", "--show-current-patch=diff"]); + core.info("Failed patch diff:"); + core.info(patchDiffResult.stdout); + + const patchFullResult = await exec.getExecOutput("git", ["am", "--show-current-patch"]); + core.info("Failed patch (full):"); + core.info(patchFullResult.stdout); + } catch (investigateError) { + core.warning(`Failed to investigate patch failure: ${investigateError instanceof Error ? investigateError.message : String(investigateError)}`); + } - return { success: false, error: "Failed to apply patch" }; - } + return { success: false, error: "Failed to apply patch" }; + } + } // end else (patch path) // Push the applied commits to the branch using signed GraphQL commits (outside patch try/catch so push failures are not misattributed) try { diff --git a/actions/setup/js/safe_outputs_handlers.cjs b/actions/setup/js/safe_outputs_handlers.cjs index 440bb15958a..45241118384 100644 --- a/actions/setup/js/safe_outputs_handlers.cjs +++ b/actions/setup/js/safe_outputs_handlers.cjs @@ -11,6 +11,7 @@ const { writeLargeContentToFile } = require("./write_large_content_to_file.cjs") const { getCurrentBranch } = require("./get_current_branch.cjs"); const { getBaseBranch } = require("./get_base_branch.cjs"); const { generateGitPatch } = require("./generate_git_patch.cjs"); +const { generateGitBundle } = require("./generate_git_bundle.cjs"); const { enforceCommentLimits } = require("./comment_limit_helpers.cjs"); const { getErrorMessage } = require("./error_helpers.cjs"); const { ERR_CONFIG, ERR_SYSTEM, ERR_VALIDATION } = require("./error_codes.cjs"); @@ -310,20 +311,77 @@ function createHandlers(server, appendSafeOutput, config = {}) { }; } - // Generate git patch with optional cwd for multi-repo support - server.debug(`Generating patch for create_pull_request with branch: ${entry.branch}${repoCwd ? ` in ${repoCwd} baseBranch: ${baseBranch}` : ""}`); - const patchOptions = {}; + // Determine transport format: "bundle" uses git bundle (preserves merge topology), + // "am" (default) uses git format-patch / git am (good for linear histories). + const patchFormat = prConfig["patch_format"] || config["patch_format"] || "am"; + const useBundle = patchFormat === "bundle"; + + // Build common options for both patch and bundle generation + const transportOptions = {}; if (repoCwd) { - patchOptions.cwd = repoCwd; + transportOptions.cwd = repoCwd; } if (repoSlug) { - patchOptions.repoSlug = repoSlug; + transportOptions.repoSlug = repoSlug; } // Pass per-handler token so cross-repo PATs are used for git fetch when configured. // Falls back to GITHUB_TOKEN if not set. if (prConfig["github-token"]) { - patchOptions.token = prConfig["github-token"]; + transportOptions.token = prConfig["github-token"]; } + + if (useBundle) { + // Bundle transport: preserves merge commits and per-commit metadata + server.debug(`Generating bundle for create_pull_request with branch: ${entry.branch}${repoCwd ? ` in ${repoCwd} baseBranch: ${baseBranch}` : ""}`); + const bundleResult = await generateGitBundle(entry.branch, baseBranch, transportOptions); + + if (!bundleResult.success) { + const errorMsg = bundleResult.error || "Failed to generate bundle"; + server.debug(`Bundle generation failed: ${errorMsg}`); + return { + content: [ + { + type: "text", + text: JSON.stringify({ + result: "error", + error: errorMsg, + details: "No commits were found to create a pull request. Make sure you have committed your changes using git add and git commit before calling create_pull_request.", + }), + }, + ], + isError: true, + }; + } + + server.debug(`Bundle generated successfully: ${bundleResult.bundlePath} (${bundleResult.bundleSize} bytes)`); + + // Store the bundle path in the entry so consumers know which file to use + entry.bundle_path = bundleResult.bundlePath; + + if (bundleResult.baseCommit) { + entry.base_commit = bundleResult.baseCommit; + } + + appendSafeOutput(entry); + return { + content: [ + { + type: "text", + text: JSON.stringify({ + result: "success", + bundle: { + path: bundleResult.bundlePath, + size: bundleResult.bundleSize, + }, + }), + }, + ], + }; + } + + // Patch transport (default): uses git format-patch / git am + server.debug(`Generating patch for create_pull_request with branch: ${entry.branch}${repoCwd ? ` in ${repoCwd} baseBranch: ${baseBranch}` : ""}`); + const patchOptions = { ...transportOptions }; // Pass excluded_files so git excludes them via :(exclude) pathspecs at generation time. if (Array.isArray(prConfig.excluded_files) && prConfig.excluded_files.length > 0) { patchOptions.excludedFiles = prConfig.excluded_files; @@ -435,16 +493,73 @@ function createHandlers(server, appendSafeOutput, config = {}) { entry.branch = detectedBranch; } - // Generate git patch in incremental mode - // Incremental mode only includes commits since origin/branchName, - // preventing patches that include already-existing commits - server.debug(`Generating incremental patch for push_to_pull_request_branch with branch: ${entry.branch}, baseBranch: ${baseBranch}`); + // Determine transport format: "bundle" uses git bundle (preserves merge topology), + // "am" (default) uses git format-patch / git am (good for linear histories). + const pushPatchFormat = pushConfig["patch_format"] || config["patch_format"] || "am"; + const useBundle = pushPatchFormat === "bundle"; + + // Build common options for both patch and bundle generation + const pushTransportOptions = { mode: "incremental" }; // Pass per-handler token so cross-repo PATs are used for git fetch when configured. // Falls back to GITHUB_TOKEN if not set. - const pushPatchOptions = { mode: "incremental" }; if (pushConfig["github-token"]) { - pushPatchOptions.token = pushConfig["github-token"]; + pushTransportOptions.token = pushConfig["github-token"]; } + + if (useBundle) { + // Bundle transport: preserves merge commits and per-commit metadata + server.debug(`Generating incremental bundle for push_to_pull_request_branch with branch: ${entry.branch}, baseBranch: ${baseBranch}`); + const bundleResult = await generateGitBundle(entry.branch, baseBranch, pushTransportOptions); + + if (!bundleResult.success) { + const errorMsg = bundleResult.error || "Failed to generate bundle"; + server.debug(`Bundle generation failed: ${errorMsg}`); + return { + content: [ + { + type: "text", + text: JSON.stringify({ + result: "error", + error: errorMsg, + details: "No commits were found to push to the pull request branch. Make sure you have committed your changes using git add and git commit before calling push_to_pull_request_branch.", + }), + }, + ], + isError: true, + }; + } + + server.debug(`Bundle generated successfully: ${bundleResult.bundlePath} (${bundleResult.bundleSize} bytes)`); + + // Store the bundle path in the entry so consumers know which file to use + entry.bundle_path = bundleResult.bundlePath; + + if (bundleResult.baseCommit) { + entry.base_commit = bundleResult.baseCommit; + } + + appendSafeOutput(entry); + return { + content: [ + { + type: "text", + text: JSON.stringify({ + result: "success", + bundle: { + path: bundleResult.bundlePath, + size: bundleResult.bundleSize, + }, + }), + }, + ], + }; + } + + // Patch transport (default): uses git format-patch / git am + // Incremental mode only includes commits since origin/branchName, + // preventing patches that include already-existing commits + server.debug(`Generating incremental patch for push_to_pull_request_branch with branch: ${entry.branch}, baseBranch: ${baseBranch}`); + const pushPatchOptions = { ...pushTransportOptions }; // Pass excluded_files so git excludes them via :(exclude) pathspecs at generation time. if (Array.isArray(pushConfig.excluded_files) && pushConfig.excluded_files.length > 0) { pushPatchOptions.excludedFiles = pushConfig.excluded_files; diff --git a/pkg/workflow/compiler_safe_outputs_config.go b/pkg/workflow/compiler_safe_outputs_config.go index 57094cf7b6a..6cb2372fa10 100644 --- a/pkg/workflow/compiler_safe_outputs_config.go +++ b/pkg/workflow/compiler_safe_outputs_config.go @@ -525,6 +525,7 @@ var handlerRegistry = map[string]handlerBuilder{ AddStringSlice("allowed_files", c.AllowedFiles). AddStringSlice("excluded_files", c.ExcludedFiles). AddIfTrue("preserve_branch_name", c.PreserveBranchName). + AddIfNotEmpty("patch_format", c.PatchFormat). AddIfTrue("staged", c.Staged) return builder.Build() }, @@ -554,6 +555,7 @@ var handlerRegistry = map[string]handlerBuilder{ AddStringSlice("protected_path_prefixes", getProtectedPathPrefixes()). AddStringSlice("allowed_files", c.AllowedFiles). AddStringSlice("excluded_files", c.ExcludedFiles). + AddIfNotEmpty("patch_format", c.PatchFormat). Build() }, "update_pull_request": func(cfg *SafeOutputsConfig) map[string]any { diff --git a/pkg/workflow/create_pull_request.go b/pkg/workflow/create_pull_request.go index bb7648f7275..7286a4860e3 100644 --- a/pkg/workflow/create_pull_request.go +++ b/pkg/workflow/create_pull_request.go @@ -36,6 +36,7 @@ type CreatePullRequestsConfig struct { AllowedFiles []string `yaml:"allowed-files,omitempty"` // Strict allowlist of glob patterns for files eligible for create. Checked independently of protected-files; both checks must pass. ExcludedFiles []string `yaml:"excluded-files,omitempty"` // List of glob patterns for files to exclude from the patch using git :(exclude) pathspecs. Matching files are stripped by git at generation time and will not appear in the commit or be subject to allowed-files or protected-files checks. PreserveBranchName bool `yaml:"preserve-branch-name,omitempty"` // When true, skips the random salt suffix on agent-specified branch names. Invalid characters are still replaced for security; casing is always preserved. Useful when CI enforces branch naming conventions (e.g. Jira keys in uppercase). + PatchFormat string `yaml:"patch-format,omitempty"` // Transport format for packaging changes: "am" (default, uses git format-patch) or "bundle" (uses git bundle, preserves merge topology and per-commit metadata). } // parsePullRequestsConfig handles only create-pull-request (singular) configuration @@ -86,6 +87,12 @@ func (c *Compiler) parsePullRequestsConfig(outputMap map[string]any) *CreatePull validateStringEnumField(configData, "protected-files", manifestFilesEnums, createPRLog) } + // Pre-process patch-format: valid values are "am" (default) and "bundle". + patchFormatEnums := []string{"am", "bundle"} + if configData != nil { + validateStringEnumField(configData, "patch-format", patchFormatEnums, createPRLog) + } + // Pre-process templatable int fields if err := preprocessIntFieldAsString(configData, "max", createPRLog); err != nil { createPRLog.Printf("Invalid max value: %v", err) diff --git a/pkg/workflow/push_to_pull_request_branch.go b/pkg/workflow/push_to_pull_request_branch.go index 1837162bcf7..a655ea4d87e 100644 --- a/pkg/workflow/push_to_pull_request_branch.go +++ b/pkg/workflow/push_to_pull_request_branch.go @@ -23,6 +23,7 @@ type PushToPullRequestBranchConfig struct { ManifestFilesPolicy *string `yaml:"protected-files,omitempty"` // Controls protected-file protection: "blocked" (default) hard-blocks, "allowed" permits all changes, "fallback-to-issue" creates a review issue instead of pushing. AllowedFiles []string `yaml:"allowed-files,omitempty"` // Strict allowlist of glob patterns for files eligible for push. Checked independently of protected-files; both checks must pass. ExcludedFiles []string `yaml:"excluded-files,omitempty"` // List of glob patterns for files to exclude from the patch using git :(exclude) pathspecs. Matching files are stripped by git at generation time and will not appear in the commit or be subject to allowed-files or protected-files checks. + PatchFormat string `yaml:"patch-format,omitempty"` // Transport format for packaging changes: "am" (default, uses git format-patch) or "bundle" (uses git bundle, preserves merge topology and per-commit metadata). } // buildCheckoutRepository generates a checkout step with optional target repository and custom token @@ -150,6 +151,15 @@ func (c *Compiler) parsePushToPullRequestBranchConfig(outputMap map[string]any) // Parse excluded-files: list of glob patterns for files to exclude via git :(exclude) pathspecs pushToBranchConfig.ExcludedFiles = ParseStringArrayFromConfig(configMap, "excluded-files", pushToPullRequestBranchLog) + // Parse patch-format: valid values are "am" (default) and "bundle" + patchFormatEnums := []string{"am", "bundle"} + validateStringEnumField(configMap, "patch-format", patchFormatEnums, pushToPullRequestBranchLog) + if patchFormat, exists := configMap["patch-format"]; exists { + if patchFormatStr, ok := patchFormat.(string); ok { + pushToBranchConfig.PatchFormat = patchFormatStr + } + } + // Parse common base fields with default max of 0 (no limit) c.parseBaseSafeOutputConfig(configMap, &pushToBranchConfig.BaseSafeOutputConfig, 0) } From 6ac2dce9918982c28b335cff4cdff4bd56956773 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 00:45:33 +0000 Subject: [PATCH 03/11] fix: address code review feedback (consistent return structure, rename patchFileName)" Agent-Logs-Url: https://github.com/github/gh-aw/sessions/220273af-754a-4610-9d4d-f8d2ad9a7c48 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/js/create_pull_request.cjs | 4 ++-- actions/setup/js/generate_git_bundle.cjs | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/actions/setup/js/create_pull_request.cjs b/actions/setup/js/create_pull_request.cjs index 47759f4f804..6788d1fb26c 100644 --- a/actions/setup/js/create_pull_request.cjs +++ b/actions/setup/js/create_pull_request.cjs @@ -758,7 +758,7 @@ async function main(config = {}) { const runUrl = buildWorkflowRunUrl(context, context.repo); const runId = context.runId; - const patchFileName = bundleFilePath ? bundleFilePath.replace("/tmp/gh-aw/", "") : "aw-unknown.bundle"; + const artifactFileName = bundleFilePath ? bundleFilePath.replace("/tmp/gh-aw/", "") : "aw-unknown.bundle"; const fallbackBody = `${body} --- @@ -777,7 +777,7 @@ To create a pull request with the changes: gh run download ${runId} -n agent -D /tmp/agent-${runId} # Fetch the bundle into a local branch -git fetch /tmp/agent-${runId}/${patchFileName} refs/heads/${bundleBranchRef}:refs/heads/${branchName} +git fetch /tmp/agent-${runId}/${artifactFileName} refs/heads/${bundleBranchRef}:refs/heads/${branchName} git checkout ${branchName} # Push the branch to origin diff --git a/actions/setup/js/generate_git_bundle.cjs b/actions/setup/js/generate_git_bundle.cjs index c254439f892..5c3a7f0536d 100644 --- a/actions/setup/js/generate_git_bundle.cjs +++ b/actions/setup/js/generate_git_bundle.cjs @@ -113,9 +113,9 @@ async function generateGitBundle(branchName, baseBranch, options = {}) { const errorMessage = "baseBranch is required and must be a non-empty string (received: " + String(baseBranch) + ")"; debugLog(`Invalid baseBranch: ${errorMessage}`); return { + success: false, + error: errorMessage, bundlePath, - bundleGenerated: false, - errorMessage, }; } From 91450351a2d1401e4b71aab1d753f1cb247b0e47 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 13:32:22 +0000 Subject: [PATCH 04/11] chore: add changeset for patch-format bundle feature Agent-Logs-Url: https://github.com/github/gh-aw/sessions/3a8d2ab7-0e93-42a5-aca2-ef9d165525b2 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .changeset/minor-safe-outputs-patch-format-bundle.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/minor-safe-outputs-patch-format-bundle.md diff --git a/.changeset/minor-safe-outputs-patch-format-bundle.md b/.changeset/minor-safe-outputs-patch-format-bundle.md new file mode 100644 index 00000000000..c66dd75e6bb --- /dev/null +++ b/.changeset/minor-safe-outputs-patch-format-bundle.md @@ -0,0 +1,5 @@ +--- +"gh-aw": minor +--- + +Add `patch-format: bundle` option to `create-pull-request` and `push-to-pull-request-branch` safe outputs. Set `patch-format: bundle` to transport changes via `git bundle` instead of `git format-patch`/`git am`, preserving merge commit topology, per-commit authorship and messages, and merge-resolution-only content. The default (`patch-format: am`) is unchanged. From a03c86de4070ff5e71298d03b9fd73dea3d8dbd3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 13:55:11 +0000 Subject: [PATCH 05/11] feat: add patch-format to JSON schema and enable bundle mode in changeset workflow Agent-Logs-Url: https://github.com/github/gh-aw/sessions/8b757d6e-a587-4103-968c-e3920ac0d1d0 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/changeset.lock.yml | 54 ++++++++++---------- .github/workflows/changeset.md | 1 + pkg/parser/schemas/main_workflow_schema.json | 12 +++++ 3 files changed, 40 insertions(+), 27 deletions(-) diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 4cef00b9ab2..8c9d2381493 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -27,7 +27,7 @@ # - shared/changeset-format.md # - shared/jqschema.md # -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"80ee3dbacd9d4d372d4e7820972ef40b5a69c2c572dde89ff3b3cc46ecf6aa7d","strict":true,"agent_id":"codex","agent_model":"gpt-5.1-codex-mini"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8c85795f43a59a771922431c18dad77f4ae4f3283e6341507dd876e3122a992a","strict":true,"agent_id":"codex","agent_model":"gpt-5.1-codex-mini"} name: "Changeset Generator" "on": @@ -179,19 +179,19 @@ jobs: run: | bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh { - cat << 'GH_AW_PROMPT_845eb89cbd0cda3c_EOF' + cat << 'GH_AW_PROMPT_913c1d056bceed0c_EOF' - GH_AW_PROMPT_845eb89cbd0cda3c_EOF + GH_AW_PROMPT_913c1d056bceed0c_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_845eb89cbd0cda3c_EOF' + cat << 'GH_AW_PROMPT_913c1d056bceed0c_EOF' Tools: update_pull_request, push_to_pull_request_branch, missing_tool, missing_data, noop - GH_AW_PROMPT_845eb89cbd0cda3c_EOF + GH_AW_PROMPT_913c1d056bceed0c_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_push_to_pr_branch.md" - cat << 'GH_AW_PROMPT_845eb89cbd0cda3c_EOF' + cat << 'GH_AW_PROMPT_913c1d056bceed0c_EOF' The following GitHub context information is available for this workflow: @@ -221,20 +221,20 @@ jobs: {{/if}} - GH_AW_PROMPT_845eb89cbd0cda3c_EOF + GH_AW_PROMPT_913c1d056bceed0c_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_845eb89cbd0cda3c_EOF' + cat << 'GH_AW_PROMPT_913c1d056bceed0c_EOF' - GH_AW_PROMPT_845eb89cbd0cda3c_EOF - cat << 'GH_AW_PROMPT_845eb89cbd0cda3c_EOF' + GH_AW_PROMPT_913c1d056bceed0c_EOF + cat << 'GH_AW_PROMPT_913c1d056bceed0c_EOF' {{#runtime-import .github/workflows/shared/changeset-format.md}} - GH_AW_PROMPT_845eb89cbd0cda3c_EOF - cat << 'GH_AW_PROMPT_845eb89cbd0cda3c_EOF' + GH_AW_PROMPT_913c1d056bceed0c_EOF + cat << 'GH_AW_PROMPT_913c1d056bceed0c_EOF' {{#runtime-import .github/workflows/shared/jqschema.md}} - GH_AW_PROMPT_845eb89cbd0cda3c_EOF - cat << 'GH_AW_PROMPT_845eb89cbd0cda3c_EOF' + GH_AW_PROMPT_913c1d056bceed0c_EOF + cat << 'GH_AW_PROMPT_913c1d056bceed0c_EOF' {{#runtime-import .github/workflows/changeset.md}} - GH_AW_PROMPT_845eb89cbd0cda3c_EOF + GH_AW_PROMPT_913c1d056bceed0c_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -412,12 +412,12 @@ jobs: mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_ead6170169387372_EOF' - {"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_to_pull_request_branch":{"allowed_files":[".changeset/**"],"commit_title_suffix":" [skip-ci]","if_no_changes":"warn","max_patch_size":1024,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"]},"update_pull_request":{"allow_body":true,"allow_title":false,"default_operation":"append","max":1}} - GH_AW_SAFE_OUTPUTS_CONFIG_ead6170169387372_EOF + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_5ff2c7bb7c559171_EOF' + {"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_to_pull_request_branch":{"allowed_files":[".changeset/**"],"commit_title_suffix":" [skip-ci]","if_no_changes":"warn","max_patch_size":1024,"patch_format":"bundle","protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS"],"protected_path_prefixes":[".github/",".agents/"]},"update_pull_request":{"allow_body":true,"allow_title":false,"default_operation":"append","max":1}} + GH_AW_SAFE_OUTPUTS_CONFIG_5ff2c7bb7c559171_EOF - name: Write Safe Outputs Tools run: | - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_b712f55cf5b32c73_EOF' + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_4de9f2c459506ec3_EOF' { "description_suffixes": { "update_pull_request": " CONSTRAINTS: Maximum 1 pull request(s) can be updated." @@ -425,8 +425,8 @@ jobs: "repo_params": {}, "dynamic_tools": [] } - GH_AW_SAFE_OUTPUTS_TOOLS_META_b712f55cf5b32c73_EOF - cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_711c66c5e984d1ff_EOF' + GH_AW_SAFE_OUTPUTS_TOOLS_META_4de9f2c459506ec3_EOF + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_98efc99c85f05e37_EOF' { "missing_data": { "defaultMax": 20, @@ -540,7 +540,7 @@ jobs: "customValidation": "requiresOneOf:title,body" } } - GH_AW_SAFE_OUTPUTS_VALIDATION_711c66c5e984d1ff_EOF + GH_AW_SAFE_OUTPUTS_VALIDATION_98efc99c85f05e37_EOF node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config @@ -607,7 +607,7 @@ jobs: export GH_AW_ENGINE="codex" export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.6' - cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_2c29f7f18d27ba76_EOF + cat > /tmp/gh-aw/mcp-config/config.toml << GH_AW_MCP_CONFIG_03abdce85ee0b9b7_EOF [history] persistence = "none" @@ -634,10 +634,10 @@ jobs: [mcp_servers.safeoutputs."guard-policies".write-sink] accept = ["*"] - GH_AW_MCP_CONFIG_2c29f7f18d27ba76_EOF + GH_AW_MCP_CONFIG_03abdce85ee0b9b7_EOF # Generate JSON config for MCP gateway - cat << GH_AW_MCP_CONFIG_2c29f7f18d27ba76_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_03abdce85ee0b9b7_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -677,7 +677,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_2c29f7f18d27ba76_EOF + GH_AW_MCP_CONFIG_03abdce85ee0b9b7_EOF - name: Download activation artifact uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -1086,7 +1086,7 @@ jobs: GH_AW_ALLOWED_DOMAINS: "*.jsr.io,172.30.0.1,api.npms.io,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,esm.sh,get.pnpm.io,go.dev,golang.org,googleapis.deno.dev,googlechromelabs.github.io,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,ppa.launchpad.net,proxy.golang.org,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,storage.googleapis.com,sum.golang.org,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"push_to_pull_request_branch\":{\"allowed_files\":[\".changeset/**\"],\"commit_title_suffix\":\" [skip-ci]\",\"if_no_changes\":\"warn\",\"max_patch_size\":1024,\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"CODEOWNERS\",\"AGENTS.md\"],\"protected_path_prefixes\":[\".github/\",\".agents/\",\".codex/\"]},\"update_pull_request\":{\"allow_body\":true,\"allow_title\":false,\"default_operation\":\"append\",\"max\":1}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"push_to_pull_request_branch\":{\"allowed_files\":[\".changeset/**\"],\"commit_title_suffix\":\" [skip-ci]\",\"if_no_changes\":\"warn\",\"max_patch_size\":1024,\"patch_format\":\"bundle\",\"protected_files\":[\"package.json\",\"bun.lockb\",\"bunfig.toml\",\"deno.json\",\"deno.jsonc\",\"deno.lock\",\"global.json\",\"NuGet.Config\",\"Directory.Packages.props\",\"mix.exs\",\"mix.lock\",\"go.mod\",\"go.sum\",\"stack.yaml\",\"stack.yaml.lock\",\"pom.xml\",\"build.gradle\",\"build.gradle.kts\",\"settings.gradle\",\"settings.gradle.kts\",\"gradle.properties\",\"package-lock.json\",\"yarn.lock\",\"pnpm-lock.yaml\",\"npm-shrinkwrap.json\",\"requirements.txt\",\"Pipfile\",\"Pipfile.lock\",\"pyproject.toml\",\"setup.py\",\"setup.cfg\",\"Gemfile\",\"Gemfile.lock\",\"uv.lock\",\"CODEOWNERS\",\"AGENTS.md\"],\"protected_path_prefixes\":[\".github/\",\".agents/\",\".codex/\"]},\"update_pull_request\":{\"allow_body\":true,\"allow_title\":false,\"default_operation\":\"append\",\"max\":1}}" GH_AW_CI_TRIGGER_TOKEN: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }} with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/changeset.md b/.github/workflows/changeset.md index 6083e4dbeb0..a569b57f5fb 100644 --- a/.github/workflows/changeset.md +++ b/.github/workflows/changeset.md @@ -18,6 +18,7 @@ engine: strict: true safe-outputs: push-to-pull-request-branch: + patch-format: bundle commit-title-suffix: " [skip-ci]" allowed-files: - .changeset/** diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index 48f19ae8b5e..83257c39c54 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -5845,6 +5845,12 @@ }, "description": "List of glob patterns for files to exclude from the patch. Each pattern is passed to `git format-patch` as a `:(exclude)` magic pathspec, so matching files are stripped by git at generation time and will not appear in the commit. Excluded files are also not subject to `allowed-files` or `protected-files` checks. Supports * (any characters except /) and ** (any characters including /)." }, + "patch-format": { + "type": "string", + "enum": ["am", "bundle"], + "default": "am", + "description": "Transport format for packaging changes. \"am\" (default) uses git format-patch/git am. \"bundle\" uses git bundle, which preserves merge commit topology, per-commit authorship, and merge-resolution-only content." + }, "staged": { "type": "boolean", "description": "If true, emit step summary messages instead of making GitHub API calls for this specific output type (preview mode)", @@ -6988,6 +6994,12 @@ "type": "string" }, "description": "List of glob patterns for files to exclude from the patch. Each pattern is passed to `git format-patch` as a `:(exclude)` magic pathspec, so matching files are stripped by git at generation time and will not appear in the commit. Excluded files are also not subject to `allowed-files` or `protected-files` checks. Supports * (any characters except /) and ** (any characters including /)." + }, + "patch-format": { + "type": "string", + "enum": ["am", "bundle"], + "default": "am", + "description": "Transport format for packaging changes. \"am\" (default) uses git format-patch/git am. \"bundle\" uses git bundle, which preserves merge commit topology, per-commit authorship, and merge-resolution-only content." } }, "additionalProperties": false From 353314066569daf06b6f10a1b7f69e83ca59f956 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 14:18:40 +0000 Subject: [PATCH 06/11] fix: add generate_git_bundle.cjs to setup.sh safe-outputs file list Agent-Logs-Url: https://github.com/github/gh-aw/sessions/46350f9f-4936-4883-8be5-9acb786dd1c7 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/setup.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/actions/setup/setup.sh b/actions/setup/setup.sh index 563cc4b4ee7..3e7168259ca 100755 --- a/actions/setup/setup.sh +++ b/actions/setup/setup.sh @@ -251,6 +251,7 @@ SAFE_OUTPUTS_FILES=( "messages_close_discussion.cjs" "estimate_tokens.cjs" "generate_git_patch.cjs" + "generate_git_bundle.cjs" "get_base_branch.cjs" "get_current_branch.cjs" "normalize_branch_name.cjs" From c5a5fb41e9f3776d0f0f22d6b97e0698114d0b8e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 17:43:14 +0000 Subject: [PATCH 07/11] fix: include aw-*.bundle in agent artifact upload so safe_outputs job can access it Agent-Logs-Url: https://github.com/github/gh-aw/sessions/12ece161-a7b5-4c87-8d5c-861b7a8fd550 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/agentics-maintenance.yml | 319 --------------------- .github/workflows/changeset.lock.yml | 1 + pkg/workflow/compiler_artifacts_test.go | 3 + pkg/workflow/compiler_yaml_main_job.go | 6 + pkg/workflow/step_order_validation.go | 4 +- 5 files changed, 13 insertions(+), 320 deletions(-) delete mode 100644 .github/workflows/agentics-maintenance.yml diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml deleted file mode 100644 index d2e1f05d0e1..00000000000 --- a/.github/workflows/agentics-maintenance.yml +++ /dev/null @@ -1,319 +0,0 @@ -# ___ _ _ -# / _ \ | | (_) -# | |_| | __ _ ___ _ __ | |_ _ ___ -# | _ |/ _` |/ _ \ '_ \| __| |/ __| -# | | | | (_| | __/ | | | |_| | (__ -# \_| |_/\__, |\___|_| |_|\__|_|\___| -# __/ | -# _ _ |___/ -# | | | | / _| | -# | | | | ___ _ __ _ __| |_| | _____ ____ -# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___| -# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ -# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ -# -# This file was automatically generated by pkg/workflow/maintenance_workflow.go. DO NOT EDIT. -# -# To regenerate this workflow, run: -# gh aw compile -# Not all edits will cause changes to this file. -# -# For more information: https://github.github.com/gh-aw/introduction/overview/ -# -# Alternative regeneration methods: -# make recompile -# -# Or use the gh-aw CLI directly: -# ./gh-aw compile --validate --verbose -# -# The workflow is generated when any workflow uses the 'expires' field -# in create-discussions, create-issues, or create-pull-request safe-outputs configuration. -# Schedule frequency is automatically determined by the shortest expiration time. -# -name: Agentic Maintenance - -on: - schedule: - - cron: "37 */2 * * *" # Every 2 hours (based on minimum expires: 1 days) - workflow_dispatch: - inputs: - operation: - description: 'Optional maintenance operation to run' - required: false - type: choice - default: '' - options: - - '' - - 'disable' - - 'enable' - - 'update' - - 'upgrade' - - 'safe_outputs' - run_url: - description: 'Run URL or run ID to replay safe outputs from (e.g. https://github.com/owner/repo/actions/runs/12345 or 12345). Required when operation is safe_outputs.' - required: false - type: string - default: '' - -permissions: {} - -jobs: - close-expired-entities: - if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }} - runs-on: ubuntu-slim - permissions: - discussions: write - issues: write - pull-requests: write - steps: - - name: Checkout actions folder - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - sparse-checkout: | - actions - persist-credentials: false - - - name: Setup Scripts - uses: ./actions/setup - with: - destination: ${{ runner.temp }}/gh-aw/actions - - - name: Close expired discussions - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - with: - script: | - const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('${{ runner.temp }}/gh-aw/actions/close_expired_discussions.cjs'); - await main(); - - - name: Close expired issues - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - with: - script: | - const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('${{ runner.temp }}/gh-aw/actions/close_expired_issues.cjs'); - await main(); - - - name: Close expired pull requests - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - with: - script: | - const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('${{ runner.temp }}/gh-aw/actions/close_expired_pull_requests.cjs'); - await main(); - - run_operation: - if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation != '' && github.event.inputs.operation != 'safe_outputs' && !github.event.repository.fork }} - runs-on: ubuntu-slim - permissions: - actions: write - contents: write - pull-requests: write - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: Setup Scripts - uses: ./actions/setup - with: - destination: ${{ runner.temp }}/gh-aw/actions - - - name: Check admin/maintainer permissions - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('${{ runner.temp }}/gh-aw/actions/check_team_member.cjs'); - await main(); - - - name: Setup Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 - with: - go-version-file: go.mod - cache: true - - - name: Build gh-aw - run: make build - - - name: Run operation - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_AW_OPERATION: ${{ github.event.inputs.operation }} - GH_AW_CMD_PREFIX: ./gh-aw - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('${{ runner.temp }}/gh-aw/actions/run_operation_update_upgrade.cjs'); - await main(); - - apply_safe_outputs: - if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'safe_outputs' && !github.event.repository.fork }} - runs-on: ubuntu-slim - permissions: - actions: read - contents: write - discussions: write - issues: write - pull-requests: write - steps: - - name: Checkout actions folder - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - sparse-checkout: | - actions - persist-credentials: false - - - name: Setup Scripts - uses: ./actions/setup - with: - destination: ${{ runner.temp }}/gh-aw/actions - - - name: Check admin/maintainer permissions - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('${{ runner.temp }}/gh-aw/actions/check_team_member.cjs'); - await main(); - - - name: Apply Safe Outputs - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_AW_RUN_URL: ${{ github.event.inputs.run_url }} - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('${{ runner.temp }}/gh-aw/actions/apply_safe_outputs_replay.cjs'); - await main(); - - compile-workflows: - if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }} - runs-on: ubuntu-slim - permissions: - contents: read - issues: write - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Setup Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 - with: - go-version-file: go.mod - cache: true - - - name: Build gh-aw - run: make build - - - name: Compile workflows - run: | - ./gh-aw compile --validate --verbose - echo "✓ All workflows compiled successfully" - - - name: Setup Scripts - uses: ./actions/setup - with: - destination: ${{ runner.temp }}/gh-aw/actions - - - name: Check for out-of-sync workflows and create issue if needed - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - with: - script: | - const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('${{ runner.temp }}/gh-aw/actions/check_workflow_recompile_needed.cjs'); - await main(); - - zizmor-scan: - if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }} - runs-on: ubuntu-slim - needs: compile-workflows - permissions: - contents: read - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Setup Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 - with: - go-version-file: go.mod - cache: true - - - name: Build gh-aw - run: make build - - - name: Run zizmor security scanner - run: | - ./gh-aw compile --zizmor --verbose - echo "✓ Zizmor security scan completed" - - secret-validation: - if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }} - runs-on: ubuntu-slim - permissions: - contents: read - steps: - - name: Checkout actions folder - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - sparse-checkout: | - actions - persist-credentials: false - - - name: Setup Node.js - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - node-version: '22' - - - name: Setup Scripts - uses: ./actions/setup - with: - destination: ${{ runner.temp }}/gh-aw/actions - - - name: Validate Secrets - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - env: - # GitHub tokens - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_PROJECT_GITHUB_TOKEN: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} - GH_AW_COPILOT_TOKEN: ${{ secrets.GH_AW_COPILOT_TOKEN }} - # AI Engine API keys - ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - BRAVE_API_KEY: ${{ secrets.BRAVE_API_KEY }} - # Integration tokens - NOTION_API_TOKEN: ${{ secrets.NOTION_API_TOKEN }} - with: - script: | - const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('${{ runner.temp }}/gh-aw/actions/validate_secrets.cjs'); - await main(); - - - name: Upload secret validation report - if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 - with: - name: secret-validation-report - path: secret-validation-report.md - retention-days: 30 - if-no-files-found: warn diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 8c9d2381493..0c480f0bfa0 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -829,6 +829,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/pkg/workflow/compiler_artifacts_test.go b/pkg/workflow/compiler_artifacts_test.go index 6c6c4b3fec8..4359033337c 100644 --- a/pkg/workflow/compiler_artifacts_test.go +++ b/pkg/workflow/compiler_artifacts_test.go @@ -376,4 +376,7 @@ Push some changes. if !strings.Contains(uploadSection, "/tmp/gh-aw/aw-*.patch") { t.Error("Expected '/tmp/gh-aw/aw-*.patch' in unified artifact upload when threat detection is enabled with staged push-to-pull-request-branch") } + if !strings.Contains(uploadSection, "/tmp/gh-aw/aw-*.bundle") { + t.Error("Expected '/tmp/gh-aw/aw-*.bundle' in unified artifact upload when threat detection is enabled with staged push-to-pull-request-branch") + } } diff --git a/pkg/workflow/compiler_yaml_main_job.go b/pkg/workflow/compiler_yaml_main_job.go index 03b99cee0e7..e01882614fa 100644 --- a/pkg/workflow/compiler_yaml_main_job.go +++ b/pkg/workflow/compiler_yaml_main_job.go @@ -528,6 +528,12 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat threatDetectionNeedsPatches := IsDetectionJobEnabled(data.SafeOutputs) if usesPatchesAndCheckouts(data.SafeOutputs) || threatDetectionNeedsPatches { artifactPaths = append(artifactPaths, "/tmp/gh-aw/aw-*.patch") + // Bundle files are generated when patch-format: bundle is configured. + // Both formats use the same download path in the safe_outputs job, so + // include the bundle glob unconditionally alongside the patch glob. + // The artifact upload step already sets if-no-files-found: ignore, so + // this is safe even when no bundle files exist. + artifactPaths = append(artifactPaths, "/tmp/gh-aw/aw-*.bundle") } // Add post-steps (if any) after AI execution diff --git a/pkg/workflow/step_order_validation.go b/pkg/workflow/step_order_validation.go index b2e9b202a29..4799b048d3a 100644 --- a/pkg/workflow/step_order_validation.go +++ b/pkg/workflow/step_order_validation.go @@ -203,8 +203,10 @@ func isPathScannedBySecretRedaction(path string) bool { // Path must have one of the scanned extensions that the redact_secrets step covers. // .patch files are git-diff output written to /tmp/gh-aw/ by the safe-outputs MCP server // and are covered by the redact_secrets step before the unified artifact is uploaded. + // .bundle files are git bundle files written to /tmp/gh-aw/ when patch-format: bundle is + // configured. They are binary files but must still pass through secret redaction. ext := filepath.Ext(path) - scannedExtensions := []string{".txt", ".json", ".log", ".jsonl", ".patch"} + scannedExtensions := []string{".txt", ".json", ".log", ".jsonl", ".patch", ".bundle"} if slices.Contains(scannedExtensions, ext) { return true } From ec5238a4b148a302dc721b8dc0b3ddc077ada6b2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 17:45:37 +0000 Subject: [PATCH 08/11] fix: restore accidentally deleted agentics-maintenance.yml Agent-Logs-Url: https://github.com/github/gh-aw/sessions/12ece161-a7b5-4c87-8d5c-861b7a8fd550 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/agentics-maintenance.yml | 319 +++++++++++++++++++++ 1 file changed, 319 insertions(+) create mode 100644 .github/workflows/agentics-maintenance.yml diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml new file mode 100644 index 00000000000..d2e1f05d0e1 --- /dev/null +++ b/.github/workflows/agentics-maintenance.yml @@ -0,0 +1,319 @@ +# ___ _ _ +# / _ \ | | (_) +# | |_| | __ _ ___ _ __ | |_ _ ___ +# | _ |/ _` |/ _ \ '_ \| __| |/ __| +# | | | | (_| | __/ | | | |_| | (__ +# \_| |_/\__, |\___|_| |_|\__|_|\___| +# __/ | +# _ _ |___/ +# | | | | / _| | +# | | | | ___ _ __ _ __| |_| | _____ ____ +# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___| +# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ +# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ +# +# This file was automatically generated by pkg/workflow/maintenance_workflow.go. DO NOT EDIT. +# +# To regenerate this workflow, run: +# gh aw compile +# Not all edits will cause changes to this file. +# +# For more information: https://github.github.com/gh-aw/introduction/overview/ +# +# Alternative regeneration methods: +# make recompile +# +# Or use the gh-aw CLI directly: +# ./gh-aw compile --validate --verbose +# +# The workflow is generated when any workflow uses the 'expires' field +# in create-discussions, create-issues, or create-pull-request safe-outputs configuration. +# Schedule frequency is automatically determined by the shortest expiration time. +# +name: Agentic Maintenance + +on: + schedule: + - cron: "37 */2 * * *" # Every 2 hours (based on minimum expires: 1 days) + workflow_dispatch: + inputs: + operation: + description: 'Optional maintenance operation to run' + required: false + type: choice + default: '' + options: + - '' + - 'disable' + - 'enable' + - 'update' + - 'upgrade' + - 'safe_outputs' + run_url: + description: 'Run URL or run ID to replay safe outputs from (e.g. https://github.com/owner/repo/actions/runs/12345 or 12345). Required when operation is safe_outputs.' + required: false + type: string + default: '' + +permissions: {} + +jobs: + close-expired-entities: + if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }} + runs-on: ubuntu-slim + permissions: + discussions: write + issues: write + pull-requests: write + steps: + - name: Checkout actions folder + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + sparse-checkout: | + actions + persist-credentials: false + + - name: Setup Scripts + uses: ./actions/setup + with: + destination: ${{ runner.temp }}/gh-aw/actions + + - name: Close expired discussions + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('${{ runner.temp }}/gh-aw/actions/close_expired_discussions.cjs'); + await main(); + + - name: Close expired issues + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('${{ runner.temp }}/gh-aw/actions/close_expired_issues.cjs'); + await main(); + + - name: Close expired pull requests + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('${{ runner.temp }}/gh-aw/actions/close_expired_pull_requests.cjs'); + await main(); + + run_operation: + if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation != '' && github.event.inputs.operation != 'safe_outputs' && !github.event.repository.fork }} + runs-on: ubuntu-slim + permissions: + actions: write + contents: write + pull-requests: write + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Setup Scripts + uses: ./actions/setup + with: + destination: ${{ runner.temp }}/gh-aw/actions + + - name: Check admin/maintainer permissions + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('${{ runner.temp }}/gh-aw/actions/check_team_member.cjs'); + await main(); + + - name: Setup Go + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 + with: + go-version-file: go.mod + cache: true + + - name: Build gh-aw + run: make build + + - name: Run operation + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_AW_OPERATION: ${{ github.event.inputs.operation }} + GH_AW_CMD_PREFIX: ./gh-aw + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('${{ runner.temp }}/gh-aw/actions/run_operation_update_upgrade.cjs'); + await main(); + + apply_safe_outputs: + if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'safe_outputs' && !github.event.repository.fork }} + runs-on: ubuntu-slim + permissions: + actions: read + contents: write + discussions: write + issues: write + pull-requests: write + steps: + - name: Checkout actions folder + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + sparse-checkout: | + actions + persist-credentials: false + + - name: Setup Scripts + uses: ./actions/setup + with: + destination: ${{ runner.temp }}/gh-aw/actions + + - name: Check admin/maintainer permissions + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('${{ runner.temp }}/gh-aw/actions/check_team_member.cjs'); + await main(); + + - name: Apply Safe Outputs + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_AW_RUN_URL: ${{ github.event.inputs.run_url }} + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('${{ runner.temp }}/gh-aw/actions/apply_safe_outputs_replay.cjs'); + await main(); + + compile-workflows: + if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }} + runs-on: ubuntu-slim + permissions: + contents: read + issues: write + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Setup Go + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 + with: + go-version-file: go.mod + cache: true + + - name: Build gh-aw + run: make build + + - name: Compile workflows + run: | + ./gh-aw compile --validate --verbose + echo "✓ All workflows compiled successfully" + + - name: Setup Scripts + uses: ./actions/setup + with: + destination: ${{ runner.temp }}/gh-aw/actions + + - name: Check for out-of-sync workflows and create issue if needed + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('${{ runner.temp }}/gh-aw/actions/check_workflow_recompile_needed.cjs'); + await main(); + + zizmor-scan: + if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }} + runs-on: ubuntu-slim + needs: compile-workflows + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Setup Go + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + with: + go-version-file: go.mod + cache: true + + - name: Build gh-aw + run: make build + + - name: Run zizmor security scanner + run: | + ./gh-aw compile --zizmor --verbose + echo "✓ Zizmor security scan completed" + + secret-validation: + if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }} + runs-on: ubuntu-slim + permissions: + contents: read + steps: + - name: Checkout actions folder + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + sparse-checkout: | + actions + persist-credentials: false + + - name: Setup Node.js + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + with: + node-version: '22' + + - name: Setup Scripts + uses: ./actions/setup + with: + destination: ${{ runner.temp }}/gh-aw/actions + + - name: Validate Secrets + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + # GitHub tokens + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_PROJECT_GITHUB_TOKEN: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} + GH_AW_COPILOT_TOKEN: ${{ secrets.GH_AW_COPILOT_TOKEN }} + # AI Engine API keys + ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} + BRAVE_API_KEY: ${{ secrets.BRAVE_API_KEY }} + # Integration tokens + NOTION_API_TOKEN: ${{ secrets.NOTION_API_TOKEN }} + with: + script: | + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('${{ runner.temp }}/gh-aw/actions/validate_secrets.cjs'); + await main(); + + - name: Upload secret validation report + if: always() + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + with: + name: secret-validation-report + path: secret-validation-report.md + retention-days: 30 + if-no-files-found: warn From 4185c556bc2285259141e0d7a4f2d0b27f6a9d71 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Mar 2026 17:59:39 +0000 Subject: [PATCH 09/11] Add changeset --- ...rmat-bundle.md => patch-safe-outputs-patch-format-bundle.md} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename .changeset/{minor-safe-outputs-patch-format-bundle.md => patch-safe-outputs-patch-format-bundle.md} (96%) diff --git a/.changeset/minor-safe-outputs-patch-format-bundle.md b/.changeset/patch-safe-outputs-patch-format-bundle.md similarity index 96% rename from .changeset/minor-safe-outputs-patch-format-bundle.md rename to .changeset/patch-safe-outputs-patch-format-bundle.md index c66dd75e6bb..8be3aece75f 100644 --- a/.changeset/minor-safe-outputs-patch-format-bundle.md +++ b/.changeset/patch-safe-outputs-patch-format-bundle.md @@ -1,5 +1,5 @@ --- -"gh-aw": minor +"gh-aw": patch --- Add `patch-format: bundle` option to `create-pull-request` and `push-to-pull-request-branch` safe outputs. Set `patch-format: bundle` to transport changes via `git bundle` instead of `git format-patch`/`git am`, preserving merge commit topology, per-commit authorship and messages, and merge-resolution-only content. The default (`patch-format: am`) is unchanged. From 91c7c95d139e97c88d191e6b62f4cccd07ca14e1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 19:12:21 +0000 Subject: [PATCH 10/11] fix: update threat detection and diagnostics to handle .bundle files alongside .patch Agent-Logs-Url: https://github.com/github/gh-aw/sessions/5e69507e-ac8c-4dfd-a221-9efef095185c Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../agent-performance-analyzer.lock.yml | 1 + .../workflows/agent-persona-explorer.lock.yml | 1 + .../workflows/agentic-observability-kit.lock.yml | 1 + .github/workflows/archie.lock.yml | 1 + .github/workflows/artifacts-summary.lock.yml | 1 + .github/workflows/audit-workflows.lock.yml | 1 + .github/workflows/auto-triage-issues.lock.yml | 1 + .github/workflows/blog-auditor.lock.yml | 1 + .github/workflows/brave.lock.yml | 1 + .../workflows/breaking-change-checker.lock.yml | 1 + .github/workflows/ci-coach.lock.yml | 1 + .github/workflows/ci-doctor.lock.yml | 1 + .../claude-code-user-docs-review.lock.yml | 1 + .../workflows/cli-consistency-checker.lock.yml | 1 + .github/workflows/cli-version-checker.lock.yml | 1 + .github/workflows/cloclo.lock.yml | 1 + .github/workflows/code-scanning-fixer.lock.yml | 1 + .github/workflows/code-simplifier.lock.yml | 1 + .../workflows/commit-changes-analyzer.lock.yml | 1 + .../workflows/constraint-solving-potd.lock.yml | 1 + .github/workflows/contribution-check.lock.yml | 1 + .../workflows/copilot-agent-analysis.lock.yml | 1 + .../workflows/copilot-cli-deep-research.lock.yml | 1 + .../workflows/copilot-pr-merged-report.lock.yml | 1 + .../workflows/copilot-pr-nlp-analysis.lock.yml | 1 + .../copilot-pr-prompt-analysis.lock.yml | 1 + .../workflows/copilot-session-insights.lock.yml | 1 + .github/workflows/craft.lock.yml | 1 + .../daily-architecture-diagram.lock.yml | 1 + .../daily-assign-issue-to-user.lock.yml | 1 + .github/workflows/daily-choice-test.lock.yml | 1 + .github/workflows/daily-cli-performance.lock.yml | 1 + .../workflows/daily-cli-tools-tester.lock.yml | 1 + .github/workflows/daily-code-metrics.lock.yml | 1 + .../daily-community-attribution.lock.yml | 1 + .../workflows/daily-compiler-quality.lock.yml | 1 + .../daily-copilot-token-report.lock.yml | 1 + .github/workflows/daily-doc-healer.lock.yml | 1 + .github/workflows/daily-doc-updater.lock.yml | 1 + .github/workflows/daily-fact.lock.yml | 1 + .github/workflows/daily-file-diet.lock.yml | 1 + .github/workflows/daily-firewall-report.lock.yml | 1 + .github/workflows/daily-function-namer.lock.yml | 1 + .../workflows/daily-integrity-analysis.lock.yml | 1 + .github/workflows/daily-issues-report.lock.yml | 1 + .../daily-mcp-concurrency-analysis.lock.yml | 1 + .../daily-multi-device-docs-tester.lock.yml | 1 + .github/workflows/daily-news.lock.yml | 1 + .../daily-observability-report.lock.yml | 1 + .../workflows/daily-performance-summary.lock.yml | 1 + .github/workflows/daily-regulatory.lock.yml | 1 + .../daily-rendering-scripts-verifier.lock.yml | 1 + .github/workflows/daily-repo-chronicle.lock.yml | 1 + .../daily-safe-output-integrator.lock.yml | 1 + .../daily-safe-output-optimizer.lock.yml | 1 + .../daily-safe-outputs-conformance.lock.yml | 1 + .../workflows/daily-secrets-analysis.lock.yml | 1 + .../workflows/daily-security-red-team.lock.yml | 1 + .github/workflows/daily-semgrep-scan.lock.yml | 1 + .../daily-syntax-error-quality.lock.yml | 1 + .../daily-team-evolution-insights.lock.yml | 1 + .github/workflows/daily-team-status.lock.yml | 1 + .../daily-testify-uber-super-expert.lock.yml | 1 + .../workflows/daily-workflow-updater.lock.yml | 1 + .github/workflows/dead-code-remover.lock.yml | 1 + .github/workflows/deep-report.lock.yml | 1 + .github/workflows/delight.lock.yml | 1 + .github/workflows/dependabot-burner.lock.yml | 1 + .github/workflows/dependabot-go-checker.lock.yml | 1 + .github/workflows/dev-hawk.lock.yml | 1 + .github/workflows/dev.lock.yml | 1 + .../developer-docs-consolidator.lock.yml | 1 + .github/workflows/dictation-prompt.lock.yml | 1 + .github/workflows/discussion-task-miner.lock.yml | 1 + .github/workflows/docs-noob-tester.lock.yml | 1 + .github/workflows/draft-pr-cleanup.lock.yml | 1 + .../workflows/duplicate-code-detector.lock.yml | 1 + .../workflows/example-workflow-analyzer.lock.yml | 1 + .github/workflows/firewall-escape.lock.yml | 1 + .github/workflows/functional-pragmatist.lock.yml | 1 + .../github-mcp-structural-analysis.lock.yml | 1 + .../workflows/github-mcp-tools-report.lock.yml | 1 + .../github-remote-mcp-auth-test.lock.yml | 1 + .github/workflows/glossary-maintainer.lock.yml | 1 + .github/workflows/go-fan.lock.yml | 1 + .github/workflows/go-logger.lock.yml | 1 + .github/workflows/go-pattern-detector.lock.yml | 1 + .github/workflows/gpclean.lock.yml | 1 + .github/workflows/grumpy-reviewer.lock.yml | 1 + .github/workflows/hourly-ci-cleaner.lock.yml | 1 + .github/workflows/instructions-janitor.lock.yml | 1 + .github/workflows/issue-arborist.lock.yml | 1 + .github/workflows/issue-monster.lock.yml | 1 + .github/workflows/issue-triage-agent.lock.yml | 1 + .github/workflows/jsweep.lock.yml | 1 + .../workflows/layout-spec-maintainer.lock.yml | 1 + .github/workflows/lockfile-stats.lock.yml | 1 + .github/workflows/mcp-inspector.lock.yml | 1 + .github/workflows/mergefest.lock.yml | 1 + .github/workflows/org-health-report.lock.yml | 1 + .github/workflows/pdf-summary.lock.yml | 1 + .github/workflows/plan.lock.yml | 1 + .github/workflows/poem-bot.lock.yml | 1 + .github/workflows/portfolio-analyst.lock.yml | 1 + .github/workflows/pr-nitpick-reviewer.lock.yml | 1 + .github/workflows/pr-triage-agent.lock.yml | 1 + .../prompt-clustering-analysis.lock.yml | 1 + .github/workflows/python-data-charts.lock.yml | 1 + .github/workflows/q.lock.yml | 1 + .github/workflows/refiner.lock.yml | 1 + .github/workflows/release.lock.yml | 1 + .github/workflows/repo-audit-analyzer.lock.yml | 1 + .github/workflows/repo-tree-map.lock.yml | 1 + .../repository-quality-improver.lock.yml | 1 + .github/workflows/research.lock.yml | 1 + .github/workflows/safe-output-health.lock.yml | 1 + .../schema-consistency-checker.lock.yml | 1 + .../workflows/schema-feature-coverage.lock.yml | 1 + .github/workflows/scout.lock.yml | 1 + .github/workflows/security-compliance.lock.yml | 1 + .github/workflows/security-review.lock.yml | 1 + .../semantic-function-refactor.lock.yml | 1 + .github/workflows/sergo.lock.yml | 1 + .github/workflows/slide-deck-maintainer.lock.yml | 1 + .../workflows/smoke-agent-all-merged.lock.yml | 1 + .github/workflows/smoke-agent-all-none.lock.yml | 1 + .../smoke-agent-public-approved.lock.yml | 1 + .../workflows/smoke-agent-public-none.lock.yml | 1 + .../smoke-agent-scoped-approved.lock.yml | 1 + .github/workflows/smoke-call-workflow.lock.yml | 1 + .github/workflows/smoke-claude.lock.yml | 1 + .github/workflows/smoke-codex.lock.yml | 1 + .github/workflows/smoke-copilot-arm.lock.yml | 1 + .github/workflows/smoke-copilot.lock.yml | 1 + .../smoke-create-cross-repo-pr.lock.yml | 1 + .github/workflows/smoke-gemini.lock.yml | 1 + .github/workflows/smoke-multi-pr.lock.yml | 1 + .github/workflows/smoke-project.lock.yml | 1 + .github/workflows/smoke-temporary-id.lock.yml | 1 + .github/workflows/smoke-test-tools.lock.yml | 1 + .../smoke-update-cross-repo-pr.lock.yml | 1 + .../smoke-workflow-call-with-inputs.lock.yml | 1 + .github/workflows/smoke-workflow-call.lock.yml | 1 + .github/workflows/stale-repo-identifier.lock.yml | 1 + .../workflows/static-analysis-report.lock.yml | 1 + .github/workflows/step-name-alignment.lock.yml | 1 + .github/workflows/sub-issue-closer.lock.yml | 1 + .github/workflows/super-linter.lock.yml | 1 + .github/workflows/technical-doc-writer.lock.yml | 1 + .github/workflows/terminal-stylist.lock.yml | 1 + .../test-create-pr-error-handling.lock.yml | 1 + .github/workflows/test-dispatcher.lock.yml | 1 + .../workflows/test-project-url-default.lock.yml | 1 + .github/workflows/tidy.lock.yml | 1 + .github/workflows/typist.lock.yml | 1 + .github/workflows/ubuntu-image-analyzer.lock.yml | 1 + .github/workflows/unbloat-docs.lock.yml | 1 + .github/workflows/update-astro.lock.yml | 1 + .github/workflows/video-analyzer.lock.yml | 1 + .../workflows/weekly-blog-post-writer.lock.yml | 1 + .../weekly-editors-health-check.lock.yml | 1 + .github/workflows/weekly-issue-summary.lock.yml | 1 + .../weekly-safe-outputs-spec-review.lock.yml | 1 + .github/workflows/workflow-generator.lock.yml | 1 + .../workflows/workflow-health-manager.lock.yml | 1 + .github/workflows/workflow-normalizer.lock.yml | 1 + .../workflows/workflow-skill-extractor.lock.yml | 1 + actions/setup/js/collect_ndjson_output.cjs | 11 ++++++----- actions/setup/js/setup_threat_detection.cjs | 16 +++++++++------- actions/setup/md/threat_detection.md | 4 +++- pkg/cli/logs_metrics.go | 16 +++++++++++----- pkg/workflow/prompts/threat_detection.md | 4 +++- pkg/workflow/threat_detection.go | 3 +++ 173 files changed, 202 insertions(+), 19 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index ef036e0a9a4..756f69ce6eb 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -903,6 +903,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 7d30065fe64..57b566052ce 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -845,6 +845,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/agentic-observability-kit.lock.yml b/.github/workflows/agentic-observability-kit.lock.yml index 69c3599ab95..89fdde6db68 100644 --- a/.github/workflows/agentic-observability-kit.lock.yml +++ b/.github/workflows/agentic-observability-kit.lock.yml @@ -853,6 +853,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index f1525732294..9aca57e5b9d 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -813,6 +813,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index e17d3079fda..14a26f9934d 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -740,6 +740,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index a6c6f32123c..ac7cda1274f 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -981,6 +981,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 10a128c2349..ce40d97b342 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -789,6 +789,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index caa91b38988..c978519697b 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -856,6 +856,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 1591437a6b9..5e5c6a4faf5 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -805,6 +805,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index eb37fb132bd..7208586a67f 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -773,6 +773,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 4c86c777a8b..8d9170bbbc1 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -828,6 +828,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 6e557f39d5e..e96dfcf0dc4 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -963,6 +963,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 3b0a669146e..47c81349e4f 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -816,6 +816,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index a1c948c92c9..30a94b380ac 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -738,6 +738,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 393510581fd..69f1480bfb2 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -828,6 +828,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index edb2501f5ec..65417366722 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1129,6 +1129,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 4caa38c7dd0..f8bc3397e7c 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -816,6 +816,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 4034efebf59..fbdbab0d090 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -765,6 +765,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index f29b224e851..b881bbf17f6 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -790,6 +790,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index d24de60da8d..194cb35603c 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -741,6 +741,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index b5a93939e83..2e78967961c 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -785,6 +785,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 8b8ebd3efbc..6a806d088e8 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -866,6 +866,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index fc422fa4c03..d17ef286e95 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -796,6 +796,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 68d2bd046c5..687093141bf 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -916,6 +916,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 8ad20d7c7cb..d4baa85f848 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -878,6 +878,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 88ff5024e10..be092bb9419 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -815,6 +815,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 81cc17fa5cf..02723269fca 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -928,6 +928,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index ce48125c94c..a4da9334e9a 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -804,6 +804,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 62439b39a94..bfbb55bd735 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -806,6 +806,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 20770a7e6c7..94ec255ca25 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -742,6 +742,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index a0d47869c26..948c304b09c 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -781,6 +781,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 10215c58c53..e9e9a14c51a 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -985,6 +985,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 2e94233c9e7..45739eae76c 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -826,6 +826,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 0e0a2d6fa15..39b5cde276d 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -902,6 +902,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index 18b71435f47..6b1aab407fe 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -828,6 +828,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index b515b4cfe3b..64f55901dc1 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -801,6 +801,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index b811226ac55..aa9e0656fc1 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -882,6 +882,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 31a2589b219..3dd3e788afb 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -947,6 +947,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index d13bd6b1543..fa5607a8bde 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -910,6 +910,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index c140f6c665a..3699c0d9b10 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -775,6 +775,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 91f89dd7b17..b830c6e0dee 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -798,6 +798,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 56d199639b7..6dcb17625d2 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -896,6 +896,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index e5ebc80922e..dee54acb012 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -848,6 +848,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-integrity-analysis.lock.yml b/.github/workflows/daily-integrity-analysis.lock.yml index 4da576e6c9a..f396cbd8afc 100644 --- a/.github/workflows/daily-integrity-analysis.lock.yml +++ b/.github/workflows/daily-integrity-analysis.lock.yml @@ -901,6 +901,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index aff08b22f70..73244981f71 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -888,6 +888,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index fcd04809c22..58d8ddbc724 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -824,6 +824,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 0e6f795d99c..85572996227 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -904,6 +904,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index acb6d729e5c..81f0e6cc421 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -950,6 +950,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index e5c09ae49d1..7828fec0c2c 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -863,6 +863,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 76f8b8dced4..f4bdf3dd82f 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1338,6 +1338,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 2c5950f5e3b..8b0d97707ac 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1261,6 +1261,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 96f8ba2621a..c337adb45c6 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -940,6 +940,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index ec51f322fcd..7e61e4050c9 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -818,6 +818,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-safe-output-integrator.lock.yml b/.github/workflows/daily-safe-output-integrator.lock.yml index 2a63327468f..7c3d176350c 100644 --- a/.github/workflows/daily-safe-output-integrator.lock.yml +++ b/.github/workflows/daily-safe-output-integrator.lock.yml @@ -785,6 +785,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index f983ef80f75..028de6e3b11 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -933,6 +933,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index be11e40a720..24df001d2c0 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -792,6 +792,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 75714b1448e..fa0edf0cc10 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -767,6 +767,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 5bcac9a89ca..74015f43374 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -796,6 +796,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index aa3abb4c412..fc2f7e6a874 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -775,6 +775,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 0cb048f8fb7..8af198f7b87 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -779,6 +779,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 4bf5108e310..3d974e328cb 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -788,6 +788,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 37ec1440495..9ad6e8f9256 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -759,6 +759,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 9f4ee880d26..99b290b84a8 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -831,6 +831,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 07e74f2b350..1d752fd8973 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -742,6 +742,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 6fdbc02a0ff..2d00ff17b01 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -793,6 +793,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 922a3ff9e81..89cd5e398ec 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -973,6 +973,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 854fa462f34..e51fb18a381 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -836,6 +836,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 6d2662b1bef..fdeb3719bee 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -751,6 +751,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 80872aa2320..256ccbae10e 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -769,6 +769,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 92c578fd9f5..f0af2423788 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -843,6 +843,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index c4a899b577e..ed6b0ed75bb 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -853,6 +853,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index ae4342fe6cb..4624ef3b927 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1001,6 +1001,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index e4e4dce2322..f8ff342ca31 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -810,6 +810,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 5ee2667dfa1..99165cb423a 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -822,6 +822,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 0c04c2ec6fd..21de4b49a60 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -791,6 +791,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index ef922690e59..b33764763db 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -777,6 +777,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index a3d0a2089f1..657a8e76d42 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -805,6 +805,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index db5c9125338..648ee4bd0e2 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -859,6 +859,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index e41eaeed0fc..4143a057f3f 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -810,6 +810,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index d753e6ee1f1..2a6016f8500 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -755,6 +755,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 2a3f818617b..f80b1e54c55 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -869,6 +869,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 14593253cbc..b8954f3c41c 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -855,6 +855,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 9b7e83ea020..d514668dcd6 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -749,6 +749,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 38b65db75b8..4568f28e49f 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -906,6 +906,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index a89634dd3d4..90a77c848a3 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -859,6 +859,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index ff95d8b3534..3584fe8c76f 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1019,6 +1019,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 4e65d975c35..2f8f7fefdba 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -818,6 +818,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 9ad937167e4..305080b4e72 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -778,6 +778,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index f8eaa9350f5..86df08e1c43 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -854,6 +854,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 6abbc3d6a20..3cc9bba2786 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -805,6 +805,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 95db8e401a2..1bb7961414e 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -840,6 +840,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 1ee651c0bb3..45384fb8427 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -815,6 +815,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 83770386bdb..d1927f734d6 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -1134,6 +1134,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index f19c093ac27..d902764f583 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -734,6 +734,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index a0fc3094ba2..3181b839b47 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -797,6 +797,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 33211da98a1..4072f5e9905 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -784,6 +784,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index e0db7c4be00..f516a57d43b 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -812,6 +812,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 37fcfd40ad7..c1f46e5018f 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1260,6 +1260,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index bef0d254b54..1173ae6a5c8 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -821,6 +821,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 64f56cce040..c495cfa75e2 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -824,6 +824,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 68939d1ec15..3d4696dde49 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -885,6 +885,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 2335e174ed2..31f5139bc6d 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -826,6 +826,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index d755a8fa5a7..c1c5ef9e22c 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1171,6 +1171,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 223c2a3d3b3..572a2021677 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -907,6 +907,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index da3bce7f445..7157d25a123 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -884,6 +884,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index ae0c984393c..36cff2edf12 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -812,6 +812,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index ab15c3965c3..6fa9d859711 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -954,6 +954,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index dd3c1623645..d3ccce55a22 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -895,6 +895,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 48dc06aefd8..9fe7bb5fc33 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -993,6 +993,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 425f1ab6332..5442bd29290 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -795,6 +795,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index a97aaabeeae..76655f71b0a 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -787,6 +787,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 4b137f7954c..d4bfd9eead9 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -770,6 +770,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index cbf6296ea4c..736b90efd95 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -741,6 +741,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 16719303e94..f6a8fa71ffa 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -785,6 +785,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index c91435974a7..57ca4b4dae6 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -773,6 +773,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 81650a2819f..938b1230d9b 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -917,6 +917,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index a74d5623304..5b59f3bcb36 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -812,6 +812,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/schema-feature-coverage.lock.yml b/.github/workflows/schema-feature-coverage.lock.yml index 611985df816..8c699c38904 100644 --- a/.github/workflows/schema-feature-coverage.lock.yml +++ b/.github/workflows/schema-feature-coverage.lock.yml @@ -756,6 +756,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 495988d6679..04848b0b0d2 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1060,6 +1060,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index ae24c666237..6ab7cbbf072 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -792,6 +792,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 55e66485e72..47a45ee183a 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -930,6 +930,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 109be24f83a..7af17da3009 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -858,6 +858,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index de79d829db2..b38563b1575 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -858,6 +858,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 4f02a0b33ba..f06a7b8769f 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -863,6 +863,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index c3479ecaead..8c76d5b526c 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -763,6 +763,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 5100d996077..e8d83baceed 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -763,6 +763,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index def6f49c7eb..88d287367a7 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -789,6 +789,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 41c57adde71..3b79541863e 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -763,6 +763,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 1b23063570c..00a9a7954e9 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -767,6 +767,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index f1a261c447d..ceb56ba758f 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -747,6 +747,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 85dae88ecce..8e92c07310f 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2222,6 +2222,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index b314801b5bc..3df0026f64e 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1293,6 +1293,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 8965afa2df7..01239687b70 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1661,6 +1661,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 5963bd34c2f..c374c15dd35 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1709,6 +1709,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 3f24124fbc3..27dde1532de 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -849,6 +849,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index b0bcd86e822..1df14d430f2 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -996,6 +996,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index bf94bbb5d72..60a1135bb82 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -842,6 +842,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 925d4997993..c2363e29a04 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -975,6 +975,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index d486a5eb0bf..c1426a780b2 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -828,6 +828,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 0a66b105e0b..b6840fb17c0 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -789,6 +789,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 9ca24434cd0..79da1425846 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -862,6 +862,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index 1da20aea6a5..105b243d010 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -810,6 +810,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 40cf7a4ee5c..928220cd57d 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -798,6 +798,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 0568fc9e9b8..27a07aaa59e 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -890,6 +890,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 7a7d0e2e50e..5f2467fcf4d 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -895,6 +895,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index c7a6fea4c48..291c19518a0 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -828,6 +828,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 3f082656f14..9a6df715f8d 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -781,6 +781,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 1397e7b1015..19a134dc029 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -786,6 +786,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index fb95875d1ae..83a2ee55b88 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -952,6 +952,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 29b3070af68..676cd90c6a7 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -760,6 +760,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 724ed3c9bf7..bc356ac5be6 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -812,6 +812,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index ed659ea95ae..bf3dd883c5d 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -723,6 +723,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 01e5c1bcbc6..035ba72b0b7 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -783,6 +783,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index cdd2ea27f36..61af22af7a6 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -872,6 +872,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 528280ce984..69ca69b268f 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -831,6 +831,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index bb9e66badea..d479a61733e 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -787,6 +787,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 453b34df5a4..e6431d644a7 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1094,6 +1094,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/update-astro.lock.yml b/.github/workflows/update-astro.lock.yml index 9a860b8a21c..e473a7f1379 100644 --- a/.github/workflows/update-astro.lock.yml +++ b/.github/workflows/update-astro.lock.yml @@ -766,6 +766,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index d04aaf83904..20c74c41726 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -778,6 +778,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index a7511c538fd..2ccb46e25e8 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -925,6 +925,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 03dacd51fc2..565b137609e 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -817,6 +817,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 21553e68e3e..73f2f981f28 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -804,6 +804,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index fa14406d2ba..8eb7da18dee 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -744,6 +744,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 852c437da98..1c83556d036 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -821,6 +821,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 85b58c87fb3..b5783a04394 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -860,6 +860,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 71564514baf..579fb6da165 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -825,6 +825,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index da49200a7ff..02a0d1e6b6e 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -796,6 +796,7 @@ jobs: /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json /tmp/gh-aw/aw-*.patch + /tmp/gh-aw/aw-*.bundle if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/actions/setup/js/collect_ndjson_output.cjs b/actions/setup/js/collect_ndjson_output.cjs index d11113c0d66..a36f9a12171 100644 --- a/actions/setup/js/collect_ndjson_output.cjs +++ b/actions/setup/js/collect_ndjson_output.cjs @@ -379,8 +379,9 @@ async function main() { core.info(`output_types: ${outputTypes.join(", ")}`); core.setOutput("output_types", outputTypes.join(",")); - // Check if any patch files exist for detection job conditional - // Patches are now named aw-{branch}.patch (one per branch) + // Check if any patch or bundle files exist for detection job conditional + // Patches are named aw-{branch}.patch (format-patch transport, one per branch) + // Bundles are named aw-{branch}.bundle (git bundle transport, preserves merge topology) const patchDir = "/tmp/gh-aw"; let hasPatch = false; const patchFiles = []; @@ -388,7 +389,7 @@ async function main() { if (fs.existsSync(patchDir)) { const dirEntries = fs.readdirSync(patchDir); for (const entry of dirEntries) { - if (/^aw-.+\.patch$/.test(entry)) { + if (/^aw-.+\.(patch|bundle)$/.test(entry)) { patchFiles.push(entry); hasPatch = true; } @@ -398,9 +399,9 @@ async function main() { // If we can't read the directory, assume no patch } if (hasPatch) { - core.info(`Found ${patchFiles.length} patch file(s): ${patchFiles.join(", ")}`); + core.info(`Found ${patchFiles.length} patch/bundle file(s): ${patchFiles.join(", ")}`); } else { - core.info(`No patch files found in: ${patchDir}`); + core.info(`No patch or bundle files found in: ${patchDir}`); } // Check if allow-empty is enabled for create_pull_request (reuse already loaded config) diff --git a/actions/setup/js/setup_threat_detection.cjs b/actions/setup/js/setup_threat_detection.cjs index 51663d6ea42..822c15f5625 100644 --- a/actions/setup/js/setup_threat_detection.cjs +++ b/actions/setup/js/setup_threat_detection.cjs @@ -50,15 +50,16 @@ async function main() { return; } - // Check if patch file(s) exist - // Patches are now named aw-{branch}.patch (one per branch) + // Check if patch/bundle file(s) exist + // Patches are named aw-{branch}.patch (format-patch / git am transport) + // Bundles are named aw-{branch}.bundle (git bundle transport, preserves merge topology) // The agent artifact is downloaded to /tmp/gh-aw/threat-detection/ const hasPatch = process.env.HAS_PATCH === "true"; const patchFiles = []; try { const dirEntries = fs.readdirSync(threatDetectionDir); for (const entry of dirEntries) { - if (/^aw-.+\.patch$/.test(entry)) { + if (/^aw-.+\.(patch|bundle)$/.test(entry)) { patchFiles.push(path.join(threatDetectionDir, entry)); } } @@ -67,7 +68,7 @@ async function main() { } if (patchFiles.length === 0 && hasPatch) { - core.setFailed(`${ERR_VALIDATION}: Patch file(s) expected but not found in: ${threatDetectionDir}`); + core.setFailed(`${ERR_VALIDATION}: Patch/bundle file(s) expected but not found in: ${threatDetectionDir}`); return; } @@ -75,13 +76,14 @@ async function main() { const promptFileInfo = promptPath + " (" + fs.statSync(promptPath).size + " bytes)"; const agentOutputFileInfo = agentOutputPath + " (" + fs.statSync(agentOutputPath).size + " bytes)"; - // Build patch file info for template replacement - let patchFileInfo = "No patch file found"; + // Build patch/bundle file info for template replacement + let patchFileInfo = "No patch or bundle file found"; if (patchFiles.length > 0) { patchFileInfo = patchFiles .map(p => { const size = fs.existsSync(p) ? fs.statSync(p).size : 0; - return `${p} (${size} bytes)`; + const type = p.endsWith(".bundle") ? "git-bundle" : "git-patch"; + return `${p} (${size} bytes, ${type})`; }) .join("\n"); } diff --git a/actions/setup/md/threat_detection.md b/actions/setup/md/threat_detection.md index 29dc5d91629..e7391c400d4 100644 --- a/actions/setup/md/threat_detection.md +++ b/actions/setup/md/threat_detection.md @@ -22,9 +22,11 @@ The agent output has been saved to the following file (if any): Read and analyze this file to check for security threats. -## Code Changes (Patch) +## Code Changes (Patch or Bundle) The following code changes were made by the agent (if any): +**Note**: Code changes may be provided as either a `git format-patch` file (`.patch`, human-readable unified diff) or a `git bundle` file (`.bundle`, binary git transport that preserves merge commit topology). Both represent committed code changes by the agent. + {AGENT_PATCH_FILE} diff --git a/pkg/cli/logs_metrics.go b/pkg/cli/logs_metrics.go index 3d7c1297919..c9282f60b7b 100644 --- a/pkg/cli/logs_metrics.go +++ b/pkg/cli/logs_metrics.go @@ -93,15 +93,21 @@ func extractLogMetrics(logDir string, verbose bool, workflowPath ...string) (Log } } - // Check for aw-*.patch artifact files (branch-named patches) + // Check for aw-*.patch and aw-*.bundle artifact files (branch-named patches/bundles) if dirEntries, err := os.ReadDir(logDir); err == nil { for _, entry := range dirEntries { name := entry.Name() - if matched, _ := filepath.Match("aw-*.patch", name); matched { + isPatch, _ := filepath.Match("aw-*.patch", name) + isBundle, _ := filepath.Match("aw-*.bundle", name) + if isPatch || isBundle { if verbose { - patchPath := filepath.Join(logDir, name) - if fileInfo, statErr := os.Stat(patchPath); statErr == nil { - fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("Found git patch file: %s (%s)", name, console.FormatFileSize(fileInfo.Size())))) + filePath := filepath.Join(logDir, name) + if fileInfo, statErr := os.Stat(filePath); statErr == nil { + fileType := "git patch" + if isBundle { + fileType = "git bundle" + } + fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("Found %s file: %s (%s)", fileType, name, console.FormatFileSize(fileInfo.Size())))) } } } diff --git a/pkg/workflow/prompts/threat_detection.md b/pkg/workflow/prompts/threat_detection.md index 29dc5d91629..e7391c400d4 100644 --- a/pkg/workflow/prompts/threat_detection.md +++ b/pkg/workflow/prompts/threat_detection.md @@ -22,9 +22,11 @@ The agent output has been saved to the following file (if any): Read and analyze this file to check for security threats. -## Code Changes (Patch) +## Code Changes (Patch or Bundle) The following code changes were made by the agent (if any): +**Note**: Code changes may be provided as either a `git format-patch` file (`.patch`, human-readable unified diff) or a `git bundle` file (`.bundle`, binary git transport that preserves merge commit topology). Both represent committed code changes by the agent. + {AGENT_PATCH_FILE} diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index fa6e080e9e3..3057cd2a0bf 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -271,6 +271,9 @@ func (c *Compiler) buildPrepareDetectionFilesStep() []string { " for f in /tmp/gh-aw/aw-*.patch; do\n", " [ -f \"$f\" ] && cp \"$f\" /tmp/gh-aw/threat-detection/ 2>/dev/null || true\n", " done\n", + " for f in /tmp/gh-aw/aw-*.bundle; do\n", + " [ -f \"$f\" ] && cp \"$f\" /tmp/gh-aw/threat-detection/ 2>/dev/null || true\n", + " done\n", " echo \"Prepared threat detection files:\"\n", " ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true\n", } From b754da5149840dab4c65c2cafa66a406fcf6e126 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 20:13:22 +0000 Subject: [PATCH 11/11] fix: add Record annotation to patchOptions to fix TS2339 type errors Agent-Logs-Url: https://github.com/github/gh-aw/sessions/15e60b64-3f48-4827-af37-44ea8cdb85c7 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/agent-performance-analyzer.lock.yml | 3 +++ .github/workflows/agent-persona-explorer.lock.yml | 3 +++ .github/workflows/agentic-observability-kit.lock.yml | 3 +++ .github/workflows/archie.lock.yml | 3 +++ .github/workflows/artifacts-summary.lock.yml | 3 +++ .github/workflows/audit-workflows.lock.yml | 3 +++ .github/workflows/auto-triage-issues.lock.yml | 3 +++ .github/workflows/blog-auditor.lock.yml | 3 +++ .github/workflows/brave.lock.yml | 3 +++ .github/workflows/breaking-change-checker.lock.yml | 3 +++ .github/workflows/ci-coach.lock.yml | 3 +++ .github/workflows/ci-doctor.lock.yml | 3 +++ .github/workflows/claude-code-user-docs-review.lock.yml | 3 +++ .github/workflows/cli-consistency-checker.lock.yml | 3 +++ .github/workflows/cli-version-checker.lock.yml | 3 +++ .github/workflows/cloclo.lock.yml | 3 +++ .github/workflows/code-scanning-fixer.lock.yml | 3 +++ .github/workflows/code-simplifier.lock.yml | 3 +++ .github/workflows/commit-changes-analyzer.lock.yml | 3 +++ .github/workflows/constraint-solving-potd.lock.yml | 3 +++ .github/workflows/contribution-check.lock.yml | 3 +++ .github/workflows/copilot-agent-analysis.lock.yml | 3 +++ .github/workflows/copilot-cli-deep-research.lock.yml | 3 +++ .github/workflows/copilot-pr-merged-report.lock.yml | 3 +++ .github/workflows/copilot-pr-nlp-analysis.lock.yml | 3 +++ .github/workflows/copilot-pr-prompt-analysis.lock.yml | 3 +++ .github/workflows/copilot-session-insights.lock.yml | 3 +++ .github/workflows/craft.lock.yml | 3 +++ .github/workflows/daily-architecture-diagram.lock.yml | 3 +++ .github/workflows/daily-assign-issue-to-user.lock.yml | 3 +++ .github/workflows/daily-choice-test.lock.yml | 3 +++ .github/workflows/daily-cli-performance.lock.yml | 3 +++ .github/workflows/daily-cli-tools-tester.lock.yml | 3 +++ .github/workflows/daily-code-metrics.lock.yml | 3 +++ .github/workflows/daily-community-attribution.lock.yml | 3 +++ .github/workflows/daily-compiler-quality.lock.yml | 3 +++ .github/workflows/daily-copilot-token-report.lock.yml | 3 +++ .github/workflows/daily-doc-healer.lock.yml | 3 +++ .github/workflows/daily-doc-updater.lock.yml | 3 +++ .github/workflows/daily-fact.lock.yml | 3 +++ .github/workflows/daily-file-diet.lock.yml | 3 +++ .github/workflows/daily-firewall-report.lock.yml | 3 +++ .github/workflows/daily-function-namer.lock.yml | 3 +++ .github/workflows/daily-integrity-analysis.lock.yml | 3 +++ .github/workflows/daily-issues-report.lock.yml | 3 +++ .github/workflows/daily-mcp-concurrency-analysis.lock.yml | 3 +++ .github/workflows/daily-multi-device-docs-tester.lock.yml | 3 +++ .github/workflows/daily-news.lock.yml | 3 +++ .github/workflows/daily-observability-report.lock.yml | 3 +++ .github/workflows/daily-performance-summary.lock.yml | 3 +++ .github/workflows/daily-regulatory.lock.yml | 3 +++ .github/workflows/daily-rendering-scripts-verifier.lock.yml | 3 +++ .github/workflows/daily-repo-chronicle.lock.yml | 3 +++ .github/workflows/daily-safe-output-integrator.lock.yml | 3 +++ .github/workflows/daily-safe-output-optimizer.lock.yml | 3 +++ .github/workflows/daily-safe-outputs-conformance.lock.yml | 3 +++ .github/workflows/daily-secrets-analysis.lock.yml | 3 +++ .github/workflows/daily-security-red-team.lock.yml | 3 +++ .github/workflows/daily-semgrep-scan.lock.yml | 3 +++ .github/workflows/daily-syntax-error-quality.lock.yml | 3 +++ .github/workflows/daily-team-evolution-insights.lock.yml | 3 +++ .github/workflows/daily-team-status.lock.yml | 3 +++ .github/workflows/daily-testify-uber-super-expert.lock.yml | 3 +++ .github/workflows/daily-workflow-updater.lock.yml | 3 +++ .github/workflows/dead-code-remover.lock.yml | 3 +++ .github/workflows/deep-report.lock.yml | 3 +++ .github/workflows/delight.lock.yml | 3 +++ .github/workflows/dependabot-burner.lock.yml | 3 +++ .github/workflows/dependabot-go-checker.lock.yml | 3 +++ .github/workflows/dev-hawk.lock.yml | 3 +++ .github/workflows/dev.lock.yml | 3 +++ .github/workflows/developer-docs-consolidator.lock.yml | 3 +++ .github/workflows/dictation-prompt.lock.yml | 3 +++ .github/workflows/discussion-task-miner.lock.yml | 3 +++ .github/workflows/docs-noob-tester.lock.yml | 3 +++ .github/workflows/draft-pr-cleanup.lock.yml | 3 +++ .github/workflows/duplicate-code-detector.lock.yml | 3 +++ .github/workflows/example-workflow-analyzer.lock.yml | 3 +++ .github/workflows/firewall-escape.lock.yml | 3 +++ .github/workflows/functional-pragmatist.lock.yml | 3 +++ .github/workflows/github-mcp-structural-analysis.lock.yml | 3 +++ .github/workflows/github-mcp-tools-report.lock.yml | 3 +++ .github/workflows/github-remote-mcp-auth-test.lock.yml | 3 +++ .github/workflows/glossary-maintainer.lock.yml | 3 +++ .github/workflows/go-fan.lock.yml | 3 +++ .github/workflows/go-logger.lock.yml | 3 +++ .github/workflows/go-pattern-detector.lock.yml | 3 +++ .github/workflows/gpclean.lock.yml | 3 +++ .github/workflows/grumpy-reviewer.lock.yml | 3 +++ .github/workflows/hourly-ci-cleaner.lock.yml | 3 +++ .github/workflows/instructions-janitor.lock.yml | 3 +++ .github/workflows/issue-arborist.lock.yml | 3 +++ .github/workflows/issue-monster.lock.yml | 3 +++ .github/workflows/issue-triage-agent.lock.yml | 3 +++ .github/workflows/jsweep.lock.yml | 3 +++ .github/workflows/layout-spec-maintainer.lock.yml | 3 +++ .github/workflows/lockfile-stats.lock.yml | 3 +++ .github/workflows/mcp-inspector.lock.yml | 3 +++ .github/workflows/mergefest.lock.yml | 3 +++ .github/workflows/org-health-report.lock.yml | 3 +++ .github/workflows/pdf-summary.lock.yml | 3 +++ .github/workflows/plan.lock.yml | 3 +++ .github/workflows/poem-bot.lock.yml | 3 +++ .github/workflows/portfolio-analyst.lock.yml | 3 +++ .github/workflows/pr-nitpick-reviewer.lock.yml | 3 +++ .github/workflows/pr-triage-agent.lock.yml | 3 +++ .github/workflows/prompt-clustering-analysis.lock.yml | 3 +++ .github/workflows/python-data-charts.lock.yml | 3 +++ .github/workflows/q.lock.yml | 3 +++ .github/workflows/refiner.lock.yml | 3 +++ .github/workflows/release.lock.yml | 3 +++ .github/workflows/repo-audit-analyzer.lock.yml | 3 +++ .github/workflows/repo-tree-map.lock.yml | 3 +++ .github/workflows/repository-quality-improver.lock.yml | 3 +++ .github/workflows/research.lock.yml | 3 +++ .github/workflows/safe-output-health.lock.yml | 3 +++ .github/workflows/schema-consistency-checker.lock.yml | 3 +++ .github/workflows/schema-feature-coverage.lock.yml | 3 +++ .github/workflows/scout.lock.yml | 3 +++ .github/workflows/security-compliance.lock.yml | 3 +++ .github/workflows/security-review.lock.yml | 3 +++ .github/workflows/semantic-function-refactor.lock.yml | 3 +++ .github/workflows/sergo.lock.yml | 3 +++ .github/workflows/slide-deck-maintainer.lock.yml | 3 +++ .github/workflows/smoke-agent-all-merged.lock.yml | 3 +++ .github/workflows/smoke-agent-all-none.lock.yml | 3 +++ .github/workflows/smoke-agent-public-approved.lock.yml | 3 +++ .github/workflows/smoke-agent-public-none.lock.yml | 3 +++ .github/workflows/smoke-agent-scoped-approved.lock.yml | 3 +++ .github/workflows/smoke-call-workflow.lock.yml | 3 +++ .github/workflows/smoke-claude.lock.yml | 3 +++ .github/workflows/smoke-codex.lock.yml | 3 +++ .github/workflows/smoke-copilot-arm.lock.yml | 3 +++ .github/workflows/smoke-copilot.lock.yml | 3 +++ .github/workflows/smoke-create-cross-repo-pr.lock.yml | 3 +++ .github/workflows/smoke-gemini.lock.yml | 3 +++ .github/workflows/smoke-multi-pr.lock.yml | 3 +++ .github/workflows/smoke-project.lock.yml | 3 +++ .github/workflows/smoke-temporary-id.lock.yml | 3 +++ .github/workflows/smoke-test-tools.lock.yml | 3 +++ .github/workflows/smoke-update-cross-repo-pr.lock.yml | 3 +++ .github/workflows/smoke-workflow-call-with-inputs.lock.yml | 3 +++ .github/workflows/smoke-workflow-call.lock.yml | 3 +++ .github/workflows/stale-repo-identifier.lock.yml | 3 +++ .github/workflows/static-analysis-report.lock.yml | 3 +++ .github/workflows/step-name-alignment.lock.yml | 3 +++ .github/workflows/sub-issue-closer.lock.yml | 3 +++ .github/workflows/super-linter.lock.yml | 3 +++ .github/workflows/technical-doc-writer.lock.yml | 3 +++ .github/workflows/terminal-stylist.lock.yml | 3 +++ .github/workflows/test-create-pr-error-handling.lock.yml | 3 +++ .github/workflows/test-dispatcher.lock.yml | 3 +++ .github/workflows/test-project-url-default.lock.yml | 3 +++ .github/workflows/tidy.lock.yml | 3 +++ .github/workflows/typist.lock.yml | 3 +++ .github/workflows/ubuntu-image-analyzer.lock.yml | 3 +++ .github/workflows/unbloat-docs.lock.yml | 3 +++ .github/workflows/update-astro.lock.yml | 3 +++ .github/workflows/video-analyzer.lock.yml | 3 +++ .github/workflows/weekly-blog-post-writer.lock.yml | 3 +++ .github/workflows/weekly-editors-health-check.lock.yml | 3 +++ .github/workflows/weekly-issue-summary.lock.yml | 3 +++ .github/workflows/weekly-safe-outputs-spec-review.lock.yml | 3 +++ .github/workflows/workflow-generator.lock.yml | 3 +++ .github/workflows/workflow-health-manager.lock.yml | 3 +++ .github/workflows/workflow-normalizer.lock.yml | 3 +++ .github/workflows/workflow-skill-extractor.lock.yml | 3 +++ actions/setup/js/safe_outputs_handlers.cjs | 2 ++ 168 files changed, 503 insertions(+) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 756f69ce6eb..8baf9657f1d 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1104,6 +1104,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 57b566052ce..9e3d14aaf2f 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -1042,6 +1042,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/agentic-observability-kit.lock.yml b/.github/workflows/agentic-observability-kit.lock.yml index 89fdde6db68..d41d955b8d4 100644 --- a/.github/workflows/agentic-observability-kit.lock.yml +++ b/.github/workflows/agentic-observability-kit.lock.yml @@ -1053,6 +1053,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 9aca57e5b9d..a250ea39b23 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -1027,6 +1027,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 14a26f9934d..cbbf1eddfe7 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -935,6 +935,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index ac7cda1274f..663f5ac1b78 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1187,6 +1187,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index ce40d97b342..ed07c951b9b 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -985,6 +985,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index c978519697b..f05dc337d54 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -1055,6 +1055,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 5e5c6a4faf5..a146122e32d 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -1019,6 +1019,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 7208586a67f..8b9209ceb61 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -972,6 +972,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 8d9170bbbc1..a0830e8ca24 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1043,6 +1043,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index e96dfcf0dc4..04fb8d89a60 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1186,6 +1186,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 47c81349e4f..a074b1a26fb 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -1016,6 +1016,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 30a94b380ac..916d596337e 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -930,6 +930,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 69f1480bfb2..f6c9333e2a3 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1021,6 +1021,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 65417366722..c9c5242ecdb 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1360,6 +1360,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index f8bc3397e7c..410c466d84a 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1031,6 +1031,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index fbdbab0d090..2607aee51bd 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -980,6 +980,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index b881bbf17f6..cad66161053 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -985,6 +985,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 194cb35603c..3cd66e27318 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -937,6 +937,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 2e78967961c..5b606c00f15 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -980,6 +980,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 6a806d088e8..f5014f7c026 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1067,6 +1067,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index d17ef286e95..607c79bc853 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -996,6 +996,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 687093141bf..5a9fb1f6641 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -1112,6 +1112,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index d4baa85f848..02ce2d95dbe 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1080,6 +1080,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index be092bb9419..6f8562712f3 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -1016,6 +1016,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 02723269fca..bea3b8d89b2 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1130,6 +1130,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index a4da9334e9a..1fe82fd1857 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -1020,6 +1020,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index bfbb55bd735..4e2a248659e 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -1016,6 +1016,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 94ec255ca25..537b228487d 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -936,6 +936,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 948c304b09c..0ce8c42fe8c 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -976,6 +976,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index e9e9a14c51a..fb7b4129a6e 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1188,6 +1188,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 45739eae76c..e93aba25cd4 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -1019,6 +1019,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 39b5cde276d..d643bf06235 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1108,6 +1108,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index 6b1aab407fe..52bbf79dc3b 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -1043,6 +1043,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 64f55901dc1..d1977d9cdc4 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -1001,6 +1001,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index aa9e0656fc1..6e1ab9bde31 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -1088,6 +1088,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 3dd3e788afb..c7482779379 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -1165,6 +1165,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index fa5607a8bde..1b015329aa8 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1126,6 +1126,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 3699c0d9b10..783c26caf06 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -958,6 +958,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index b830c6e0dee..e711eedef53 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -994,6 +994,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 6dcb17625d2..1a9b20fc526 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1098,6 +1098,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index dee54acb012..76bb8df2336 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -1045,6 +1045,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-integrity-analysis.lock.yml b/.github/workflows/daily-integrity-analysis.lock.yml index f396cbd8afc..204d53fcccc 100644 --- a/.github/workflows/daily-integrity-analysis.lock.yml +++ b/.github/workflows/daily-integrity-analysis.lock.yml @@ -1103,6 +1103,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 73244981f71..389bd9036d3 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1089,6 +1089,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 58d8ddbc724..2bea51376be 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -1021,6 +1021,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 85572996227..273c0ac420a 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1101,6 +1101,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 81f0e6cc421..41e31be57f3 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1156,6 +1156,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 7828fec0c2c..6a26ee856dc 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1062,6 +1062,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index f4bdf3dd82f..ebd9438f5bc 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1540,6 +1540,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 8b0d97707ac..6aac1237a2d 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1461,6 +1461,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index c337adb45c6..53470dd456c 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1155,6 +1155,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 7e61e4050c9..f21b6c34683 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -1019,6 +1019,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-safe-output-integrator.lock.yml b/.github/workflows/daily-safe-output-integrator.lock.yml index 7c3d176350c..c300626a6d2 100644 --- a/.github/workflows/daily-safe-output-integrator.lock.yml +++ b/.github/workflows/daily-safe-output-integrator.lock.yml @@ -999,6 +999,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 028de6e3b11..50620376c70 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1126,6 +1126,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 24df001d2c0..d97ab8b30b1 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -988,6 +988,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index fa0edf0cc10..b633a103bcf 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -966,6 +966,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 74015f43374..c37e8878059 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -992,6 +992,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index fc2f7e6a874..a9d6cfb8d9e 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -968,6 +968,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 8af198f7b87..504a81b6bd9 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -975,6 +975,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 3d974e328cb..373f60d74bd 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -987,6 +987,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 9ad6e8f9256..ed05fe63c68 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -964,6 +964,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 99b290b84a8..2dc2a960fee 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -1032,6 +1032,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 1d752fd8973..6577a17bbe8 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -956,6 +956,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 2d00ff17b01..b41303fb21d 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -1003,6 +1003,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 89cd5e398ec..6e1eb197134 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1179,6 +1179,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index e51fb18a381..c62de765804 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1041,6 +1041,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index fdeb3719bee..f246e2458fa 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -944,6 +944,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 256ccbae10e..625a8be6b1b 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -962,6 +962,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index f0af2423788..f71db388027 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1038,6 +1038,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index ed6b0ed75bb..bda461ca7fa 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -1064,6 +1064,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 4624ef3b927..35514f16159 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1220,6 +1220,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index f8ff342ca31..f94659c16c2 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -1020,6 +1020,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 99165cb423a..0acf00da943 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1026,6 +1026,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 21de4b49a60..bbe28d5312d 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -987,6 +987,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index b33764763db..4ffb8ae903f 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -972,6 +972,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 657a8e76d42..78fa1f855aa 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -999,6 +999,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 648ee4bd0e2..6fa56487b8e 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -1054,6 +1054,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 4143a057f3f..c3ed6409666 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -1016,6 +1016,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index 2a6016f8500..38e38f7436b 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -970,6 +970,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index f80b1e54c55..4de5629dade 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1066,6 +1066,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index b8954f3c41c..21091559687 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1068,6 +1068,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index d514668dcd6..485e03f123c 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -945,6 +945,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 4568f28e49f..c8060ef8aa3 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1123,6 +1123,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 90a77c848a3..7791c825937 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -1059,6 +1059,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 3584fe8c76f..0b7e56ccbb0 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1229,6 +1229,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 2f8f7fefdba..4a5ef2213c3 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -1054,6 +1054,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 305080b4e72..a32a60ee843 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -972,6 +972,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 86df08e1c43..57c78339eb7 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1067,6 +1067,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 3cc9bba2786..2f90bfd69d4 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1079,6 +1079,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 1bb7961414e..9c5d3a07040 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1050,6 +1050,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 45384fb8427..daba7f09e57 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1010,6 +1010,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index d1927f734d6..3f091457461 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -1332,6 +1332,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index d902764f583..ef3d465acea 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -928,6 +928,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 3181b839b47..dcbee88e3d3 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -1013,6 +1013,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 4072f5e9905..ad25110c611 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -999,6 +999,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index f516a57d43b..429db841028 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -1008,6 +1008,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index c1f46e5018f..f72335242c1 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1459,6 +1459,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 1173ae6a5c8..94446026edd 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -1034,6 +1034,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index c495cfa75e2..1cba142c605 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -1022,6 +1022,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 3d4696dde49..316714a2a57 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1103,6 +1103,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 31f5139bc6d..f0521760749 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -1038,6 +1038,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index c1c5ef9e22c..fbc2822fa78 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1404,6 +1404,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 572a2021677..6d69d6075e0 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1109,6 +1109,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 7157d25a123..26a9cf08b3a 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1102,6 +1102,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 36cff2edf12..0b3fab4300e 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1013,6 +1013,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 6fa9d859711..271ec71a220 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1150,6 +1150,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index d3ccce55a22..ab57689778d 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1093,6 +1093,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 9fe7bb5fc33..b37b3971f04 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1225,6 +1225,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 5442bd29290..f140f5868de 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1007,6 +1007,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 76655f71b0a..511502421bc 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1100,6 +1100,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index d4bfd9eead9..134e3e49f19 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -970,6 +970,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 736b90efd95..e0246c24eca 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -937,6 +937,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index f6a8fa71ffa..9137f3b45af 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -982,6 +982,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 57ca4b4dae6..d1177253b11 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -969,6 +969,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 938b1230d9b..6735694321f 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1113,6 +1113,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 5b59f3bcb36..91717dad474 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -1008,6 +1008,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/schema-feature-coverage.lock.yml b/.github/workflows/schema-feature-coverage.lock.yml index 8c699c38904..138e76d15a2 100644 --- a/.github/workflows/schema-feature-coverage.lock.yml +++ b/.github/workflows/schema-feature-coverage.lock.yml @@ -965,6 +965,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 04848b0b0d2..669d180c585 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1275,6 +1275,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 6ab7cbbf072..1f29ff7a0f6 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -990,6 +990,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 47a45ee183a..9666702f121 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1144,6 +1144,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 7af17da3009..481ea24ba91 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1050,6 +1050,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index b38563b1575..b63ec1e7f99 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -1058,6 +1058,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index f06a7b8769f..1f26d1ad016 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1079,6 +1079,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index 8c76d5b526c..48e5480409c 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -977,6 +977,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index e8d83baceed..0473ffd24e4 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -977,6 +977,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 88d287367a7..07d86fc9c54 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -1005,6 +1005,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 3b79541863e..7ca22db2cef 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -977,6 +977,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 00a9a7954e9..7ff88bfb8de 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -981,6 +981,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index ceb56ba758f..cf3f3ab73b3 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -952,6 +952,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 8e92c07310f..b4a3d45b16f 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2469,6 +2469,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 3df0026f64e..89547b3b768 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1509,6 +1509,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 01239687b70..6ddd80fa7dc 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1882,6 +1882,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index c374c15dd35..b39f75b9055 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1930,6 +1930,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 27dde1532de..28ec89ad896 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -1079,6 +1079,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 1df14d430f2..2a837da42a1 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1211,6 +1211,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 60a1135bb82..32111d7cb51 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1073,6 +1073,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index c2363e29a04..c2f56e483df 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1206,6 +1206,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index c1426a780b2..7786ef20b4b 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1043,6 +1043,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index b6840fb17c0..9059a3890f7 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -1004,6 +1004,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 79da1425846..daec75610e6 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -1079,6 +1079,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index 105b243d010..9d8896e02ea 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -1003,6 +1003,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 928220cd57d..3d123ecfc09 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -994,6 +994,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 27a07aaa59e..e8450c377ad 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1086,6 +1086,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 5f2467fcf4d..c2d515296a9 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1091,6 +1091,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 291c19518a0..d10fa64f606 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -1021,6 +1021,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 9a6df715f8d..31a3d4f2375 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -976,6 +976,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 19a134dc029..8ba2c6d6d4a 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -981,6 +981,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 83a2ee55b88..a5c432710c4 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1172,6 +1172,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 676cd90c6a7..39ad17d0468 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -956,6 +956,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index bc356ac5be6..a8ceac275cd 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -1022,6 +1022,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index bf3dd883c5d..c7577da9642 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -915,6 +915,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 035ba72b0b7..ae8d8fbba82 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -975,6 +975,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 61af22af7a6..550a940bc5a 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1102,6 +1102,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 69ca69b268f..16643084f83 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -1026,6 +1026,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index d479a61733e..f760c455c8b 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -1002,6 +1002,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index e6431d644a7..39accea4c35 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1327,6 +1327,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/update-astro.lock.yml b/.github/workflows/update-astro.lock.yml index e473a7f1379..e1c669a710b 100644 --- a/.github/workflows/update-astro.lock.yml +++ b/.github/workflows/update-astro.lock.yml @@ -1025,6 +1025,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 20c74c41726..9eedc7e314a 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -971,6 +971,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 2ccb46e25e8..d9eda3901d7 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -1146,6 +1146,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 565b137609e..67d74b35502 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -1033,6 +1033,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 73f2f981f28..d16ca39979a 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -1005,6 +1005,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 8eb7da18dee..9c7e59a01ce 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -959,6 +959,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 1c83556d036..f77d69c3877 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -1017,6 +1017,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index b5783a04394..42ca4cef9ca 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1060,6 +1060,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 579fb6da165..1507dffcf32 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -1022,6 +1022,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 02a0d1e6b6e..5ec2e64f04d 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -992,6 +992,9 @@ jobs: for f in /tmp/gh-aw/aw-*.patch; do [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true done + for f in /tmp/gh-aw/aw-*.bundle; do + [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true + done echo "Prepared threat detection files:" ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - name: Setup threat detection diff --git a/actions/setup/js/safe_outputs_handlers.cjs b/actions/setup/js/safe_outputs_handlers.cjs index 45241118384..48756fc6c36 100644 --- a/actions/setup/js/safe_outputs_handlers.cjs +++ b/actions/setup/js/safe_outputs_handlers.cjs @@ -381,6 +381,7 @@ function createHandlers(server, appendSafeOutput, config = {}) { // Patch transport (default): uses git format-patch / git am server.debug(`Generating patch for create_pull_request with branch: ${entry.branch}${repoCwd ? ` in ${repoCwd} baseBranch: ${baseBranch}` : ""}`); + /** @type {Record} */ const patchOptions = { ...transportOptions }; // Pass excluded_files so git excludes them via :(exclude) pathspecs at generation time. if (Array.isArray(prConfig.excluded_files) && prConfig.excluded_files.length > 0) { @@ -559,6 +560,7 @@ function createHandlers(server, appendSafeOutput, config = {}) { // Incremental mode only includes commits since origin/branchName, // preventing patches that include already-existing commits server.debug(`Generating incremental patch for push_to_pull_request_branch with branch: ${entry.branch}, baseBranch: ${baseBranch}`); + /** @type {Record} */ const pushPatchOptions = { ...pushTransportOptions }; // Pass excluded_files so git excludes them via :(exclude) pathspecs at generation time. if (Array.isArray(pushConfig.excluded_files) && pushConfig.excluded_files.length > 0) {