diff --git a/.github/workflows/agentic-observability-kit.lock.yml b/.github/workflows/agentic-observability-kit.lock.yml
deleted file mode 100644
index b49670c710d..00000000000
--- a/.github/workflows/agentic-observability-kit.lock.yml
+++ /dev/null
@@ -1,1672 +0,0 @@
-# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"88df3df2f13dc34be1ab4b6064a4fd680941362f4dc9fad7c178d5876be9f538","strict":true,"agent_id":"copilot"}
-# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/cache/save","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"docker/build-push-action","sha":"bcafcacb16a39f128d818304e6c9c0c18556b85f","version":"v7.1.0"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.28","digest":"sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28","digest":"sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.28","digest":"sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.0","digest":"sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.0@sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d"},{"image":"ghcr.io/github/github-mcp-server:v1.0.3","digest":"sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
-# ___ _ _
-# / _ \ | | (_)
-# | |_| | __ _ ___ _ __ | |_ _ ___
-# | _ |/ _` |/ _ \ '_ \| __| |/ __|
-# | | | | (_| | __/ | | | |_| | (__
-# \_| |_/\__, |\___|_| |_|\__|_|\___|
-# __/ |
-# _ _ |___/
-# | | | | / _| |
-# | | | | ___ _ __ _ __| |_| | _____ ____
-# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
-# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \
-# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
-#
-# This file was automatically generated by gh-aw. DO NOT EDIT.
-#
-# To update this file, edit the corresponding .md file and run:
-# gh aw compile
-# Not all edits will cause changes to this file.
-#
-# For more information: https://github.github.com/gh-aw/introduction/overview/
-#
-# Drop-in observability and portfolio review
-#
-# Resolved workflow manifest:
-# Imports:
-# - shared/daily-audit-discussion.md
-# - shared/observability-otlp.md
-# - shared/reporting.md
-# - shared/daily-audit-base.md
-# - shared/trending-charts-simple.md
-# - shared/daily-audit-charts.md
-#
-# Secrets used:
-# - COPILOT_GITHUB_TOKEN
-# - GH_AW_GITHUB_MCP_SERVER_TOKEN
-# - GH_AW_GITHUB_TOKEN
-# - GH_AW_OTEL_ENDPOINT
-# - GH_AW_OTEL_HEADERS
-# - GITHUB_TOKEN
-#
-# Custom actions used:
-# - actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-# - actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-# - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-# - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-# - actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
-# - actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-# - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-# - actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-# - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-# - docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
-# - docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
-#
-# Container images used:
-# - ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a
-# - ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb
-# - ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474
-# - ghcr.io/github/gh-aw-mcpg:v0.3.0@sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d
-# - ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959
-# - node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f
-
-name: "Agentic Observability Kit"
-"on":
- schedule:
- - cron: "7 8 * * 1"
- # Friendly format: weekly on monday around 08:00 (scattered)
- workflow_dispatch:
- inputs:
- aw_context:
- default: ""
- description: Agent caller context (used internally by Agentic Workflows).
- required: false
- type: string
-
-permissions: {}
-
-concurrency:
- group: "gh-aw-${{ github.workflow }}"
-
-run-name: "Agentic Observability Kit"
-
-env:
- OTEL_EXPORTER_OTLP_ENDPOINT: ${{ secrets.GH_AW_OTEL_ENDPOINT }}
- OTEL_SERVICE_NAME: gh-aw
- OTEL_EXPORTER_OTLP_HEADERS: ${{ secrets.GH_AW_OTEL_HEADERS }}
-
-jobs:
- activation:
- runs-on: ubuntu-slim
- permissions:
- actions: read
- contents: read
- outputs:
- comment_id: ""
- comment_repo: ""
- engine_id: ${{ steps.generate_aw_info.outputs.engine_id }}
- lockdown_check_failed: ${{ steps.generate_aw_info.outputs.lockdown_check_failed == 'true' }}
- model: ${{ steps.generate_aw_info.outputs.model }}
- secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
- setup-trace-id: ${{ steps.setup.outputs.trace-id }}
- stale_lock_file_failed: ${{ steps.check-lock-file.outputs.stale_lock_file_failed == 'true' }}
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- - name: Mask OTLP telemetry headers
- run: bash "${RUNNER_TEMP}/gh-aw/actions/mask_otlp_headers.sh"
- - name: Generate agentic run info
- id: generate_aw_info
- env:
- GH_AW_INFO_ENGINE_ID: "copilot"
- GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI"
- GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }}
- GH_AW_INFO_VERSION: "1.0.36"
- GH_AW_INFO_AGENT_VERSION: "1.0.36"
- GH_AW_INFO_WORKFLOW_NAME: "Agentic Observability Kit"
- GH_AW_INFO_EXPERIMENTAL: "false"
- GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true"
- GH_AW_INFO_STAGED: "false"
- GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","python"]'
- GH_AW_INFO_FIREWALL_ENABLED: "true"
- GH_AW_INFO_AWF_VERSION: "v0.25.28"
- GH_AW_INFO_AWMG_VERSION: ""
- GH_AW_INFO_FIREWALL_TYPE: "squid"
- GH_AW_COMPILED_STRICT: "true"
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_aw_info.cjs');
- await main(core, context);
- - name: Validate COPILOT_GITHUB_TOKEN secret
- id: validate-secret
- run: bash "${RUNNER_TEMP}/gh-aw/actions/validate_multi_secret.sh" COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
- env:
- COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- - name: Checkout .github and .agents folders
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- persist-credentials: false
- sparse-checkout: |
- .github
- .agents
- actions/setup
- .claude
- .codex
- .crush
- .gemini
- .opencode
- sparse-checkout-cone-mode: true
- fetch-depth: 1
- - name: Save agent config folders for base branch restoration
- env:
- GH_AW_AGENT_FOLDERS: ".agents .claude .codex .crush .gemini .github .opencode"
- GH_AW_AGENT_FILES: ".crush.json AGENTS.md CLAUDE.md GEMINI.md opencode.jsonc"
- # poutine:ignore untrusted_checkout_exec
- run: bash "${RUNNER_TEMP}/gh-aw/actions/save_base_github_folders.sh"
- - name: Check workflow lock file
- id: check-lock-file
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_WORKFLOW_FILE: "agentic-observability-kit.lock.yml"
- GH_AW_CONTEXT_WORKFLOW_REF: "${{ github.workflow_ref }}"
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/check_workflow_timestamp_api.cjs');
- await main();
- - name: Create prompt with built-in context
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_SAFE_OUTPUTS: ${{ runner.temp }}/gh-aw/safeoutputs/outputs.jsonl
- GH_AW_GITHUB_ACTOR: ${{ github.actor }}
- GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
- GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
- GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
- GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
- GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
- GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
- GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
- # poutine:ignore untrusted_checkout_exec
- run: |
- bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh"
- {
- cat << 'GH_AW_PROMPT_070d906a5a7d513e_EOF'
-
- GH_AW_PROMPT_070d906a5a7d513e_EOF
- cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
- cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
- cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
- cat "${RUNNER_TEMP}/gh-aw/prompts/agentic_workflows_guide.md"
- cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md"
- cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_070d906a5a7d513e_EOF'
-
- Tools: create_issue, create_discussion, upload_asset(max:4), missing_tool, missing_data, noop
-
- upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs).
-
- GH_AW_PROMPT_070d906a5a7d513e_EOF
- cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md"
- cat << 'GH_AW_PROMPT_070d906a5a7d513e_EOF'
-
- The following GitHub context information is available for this workflow:
- {{#if __GH_AW_GITHUB_ACTOR__ }}
- - **actor**: __GH_AW_GITHUB_ACTOR__
- {{/if}}
- {{#if __GH_AW_GITHUB_REPOSITORY__ }}
- - **repository**: __GH_AW_GITHUB_REPOSITORY__
- {{/if}}
- {{#if __GH_AW_GITHUB_WORKSPACE__ }}
- - **workspace**: __GH_AW_GITHUB_WORKSPACE__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }}
- - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }}
- - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }}
- - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }}
- - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__
- {{/if}}
- {{#if __GH_AW_GITHUB_RUN_ID__ }}
- - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
- {{/if}}
-
-
- GH_AW_PROMPT_070d906a5a7d513e_EOF
- cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_070d906a5a7d513e_EOF'
-
- {{#runtime-import .github/workflows/shared/trending-charts-simple.md}}
- {{#runtime-import .github/workflows/shared/reporting.md}}
- {{#runtime-import .github/workflows/shared/observability-otlp.md}}
- {{#runtime-import .github/workflows/agentic-observability-kit.md}}
- GH_AW_PROMPT_070d906a5a7d513e_EOF
- } > "$GH_AW_PROMPT"
- - name: Interpolate variables and render templates
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/interpolate_prompt.cjs');
- await main();
- - name: Substitute placeholders
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_ALLOWED_EXTENSIONS: ''
- GH_AW_CACHE_DESCRIPTION: ''
- GH_AW_CACHE_DIR: '/tmp/gh-aw/cache-memory/'
- GH_AW_GITHUB_ACTOR: ${{ github.actor }}
- GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
- GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
- GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
- GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
- GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
- GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
- GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
- GH_AW_MCP_CLI_SERVERS_LIST: "- `agenticworkflows` β run `agenticworkflows --help` to see available tools\n- `safeoutputs` β run `safeoutputs --help` to see available tools"
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
-
- const substitutePlaceholders = require('${{ runner.temp }}/gh-aw/actions/substitute_placeholders.cjs');
-
- // Call the substitution function
- return await substitutePlaceholders({
- file: process.env.GH_AW_PROMPT,
- substitutions: {
- GH_AW_ALLOWED_EXTENSIONS: process.env.GH_AW_ALLOWED_EXTENSIONS,
- GH_AW_CACHE_DESCRIPTION: process.env.GH_AW_CACHE_DESCRIPTION,
- GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR,
- GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR,
- GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID,
- GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER,
- GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER,
- GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER,
- GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY,
- GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID,
- GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE,
- GH_AW_MCP_CLI_SERVERS_LIST: process.env.GH_AW_MCP_CLI_SERVERS_LIST
- }
- });
- - name: Validate prompt placeholders
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- # poutine:ignore untrusted_checkout_exec
- run: bash "${RUNNER_TEMP}/gh-aw/actions/validate_prompt_placeholders.sh"
- - name: Print prompt
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- # poutine:ignore untrusted_checkout_exec
- run: bash "${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh"
- - name: Upload activation artifact
- if: success()
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- with:
- name: activation
- path: |
- /tmp/gh-aw/aw_info.json
- /tmp/gh-aw/aw-prompts/prompt.txt
- /tmp/gh-aw/github_rate_limits.jsonl
- /tmp/gh-aw/base
- if-no-files-found: ignore
- retention-days: 1
-
- agent:
- needs: activation
- runs-on: ubuntu-latest
- permissions:
- actions: read
- contents: read
- discussions: read
- issues: read
- pull-requests: read
- concurrency:
- group: "gh-aw-copilot-${{ github.workflow }}"
- env:
- DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
- GH_AW_ASSETS_ALLOWED_EXTS: ".png,.svg"
- GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}"
- GH_AW_ASSETS_MAX_SIZE_KB: 10240
- GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
- GH_AW_WORKFLOW_ID_SANITIZED: agenticobservabilitykit
- outputs:
- agentic_engine_timeout: ${{ steps.detect-copilot-errors.outputs.agentic_engine_timeout || 'false' }}
- checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}
- effective_tokens: ${{ steps.parse-mcp-gateway.outputs.effective_tokens }}
- has_patch: ${{ steps.collect_output.outputs.has_patch }}
- inference_access_error: ${{ steps.detect-copilot-errors.outputs.inference_access_error || 'false' }}
- mcp_policy_error: ${{ steps.detect-copilot-errors.outputs.mcp_policy_error || 'false' }}
- model: ${{ needs.activation.outputs.model }}
- model_not_supported_error: ${{ steps.detect-copilot-errors.outputs.model_not_supported_error || 'false' }}
- output: ${{ steps.collect_output.outputs.output }}
- output_types: ${{ steps.collect_output.outputs.output_types }}
- setup-trace-id: ${{ steps.setup.outputs.trace-id }}
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- trace-id: ${{ needs.activation.outputs.setup-trace-id }}
- - name: Set runtime paths
- id: set-runtime-paths
- run: |
- {
- echo "GH_AW_SAFE_OUTPUTS=${RUNNER_TEMP}/gh-aw/safeoutputs/outputs.jsonl"
- echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/config.json"
- echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/tools.json"
- } >> "$GITHUB_OUTPUT"
- - name: Mask OTLP telemetry headers
- run: bash "${RUNNER_TEMP}/gh-aw/actions/mask_otlp_headers.sh"
- - name: Checkout repository
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- persist-credentials: false
- - name: Setup Go for CLI build
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
- with:
- go-version-file: go.mod
- cache: true
- - name: Build gh-aw CLI
- run: |
- echo "Building gh-aw CLI for linux/amd64..."
- mkdir -p dist
- VERSION=$(git describe --tags --always --dirty)
- CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
- -ldflags "-s -w -X main.version=${VERSION}" \
- -o dist/gh-aw-linux-amd64 \
- ./cmd/gh-aw
- # Copy binary to root for direct execution in user-defined steps
- cp dist/gh-aw-linux-amd64 ./gh-aw
- chmod +x ./gh-aw
- echo "β Built gh-aw CLI successfully"
- - name: Setup Docker Buildx
- uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
- - name: Build gh-aw Docker image
- uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
- with:
- context: .
- platforms: linux/amd64
- push: false
- load: true
- tags: localhost/gh-aw:dev
- build-args: |
- BINARY=dist/gh-aw-linux-amd64
- - name: Setup Python
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
- with:
- python-version: '3.12'
- - name: Create gh-aw temp directory
- run: bash "${RUNNER_TEMP}/gh-aw/actions/create_gh_aw_tmp_dir.sh"
- - name: Configure gh CLI for GitHub Enterprise
- run: bash "${RUNNER_TEMP}/gh-aw/actions/configure_gh_for_ghe.sh"
- env:
- GH_TOKEN: ${{ github.token }}
- - name: Setup Python environment
- run: "mkdir -p /tmp/gh-aw/python/{data,charts,artifacts}\n# Create a virtual environment for proper package isolation (avoids --break-system-packages)\nif [ ! -d /tmp/gh-aw/venv ]; then\n python3 -m venv /tmp/gh-aw/venv\nfi\necho \"/tmp/gh-aw/venv/bin\" >> \"$GITHUB_PATH\"\n/tmp/gh-aw/venv/bin/pip install --quiet numpy pandas matplotlib seaborn scipy\n"
- - if: always()
- name: Upload source files and data
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- with:
- if-no-files-found: warn
- name: trending-source-and-data
- path: |
- /tmp/gh-aw/python/*.py
- /tmp/gh-aw/python/data/*
- retention-days: 30
-
- # Cache memory file share configuration from frontmatter processed below
- - name: Create cache-memory directory
- run: bash "${RUNNER_TEMP}/gh-aw/actions/create_cache_memory_dir.sh"
- - name: Restore cache-memory file share data
- uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- with:
- key: memory-none-nopolicy-trending-data-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
- path: /tmp/gh-aw/cache-memory
- restore-keys: |
- memory-none-nopolicy-trending-data-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-
- - name: Setup cache-memory git repository
- env:
- GH_AW_CACHE_DIR: /tmp/gh-aw/cache-memory
- GH_AW_MIN_INTEGRITY: none
- run: bash "${RUNNER_TEMP}/gh-aw/actions/setup_cache_memory_git.sh"
- - name: Configure Git credentials
- env:
- REPO_NAME: ${{ github.repository }}
- SERVER_URL: ${{ github.server_url }}
- GITHUB_TOKEN: ${{ github.token }}
- run: |
- git config --global user.email "github-actions[bot]@users.noreply.github.com"
- git config --global user.name "github-actions[bot]"
- git config --global am.keepcr true
- # Re-authenticate git with GitHub token
- SERVER_URL_STRIPPED="${SERVER_URL#https://}"
- git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
- echo "Git configured with standard GitHub Actions identity"
- - name: Checkout PR branch
- id: checkout-pr
- if: |
- github.event.pull_request || github.event.issue.pull_request
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs');
- await main();
- - name: Install GitHub Copilot CLI
- run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.36
- env:
- GH_HOST: github.com
- - name: Install AWF binary
- run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.28
- - name: Determine automatic lockdown mode for GitHub MCP Server
- id: determine-automatic-lockdown
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
- GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
- with:
- script: |
- const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs');
- await determineAutomaticLockdown(github, context, core);
- - name: Download activation artifact
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- with:
- name: activation
- path: /tmp/gh-aw
- - name: Restore agent config folders from base branch
- if: steps.checkout-pr.outcome == 'success'
- env:
- GH_AW_AGENT_FOLDERS: ".agents .claude .codex .crush .gemini .github .opencode"
- GH_AW_AGENT_FILES: ".crush.json AGENTS.md CLAUDE.md GEMINI.md opencode.jsonc"
- run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_base_github_folders.sh"
- - name: Download container images
- run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474 ghcr.io/github/gh-aw-mcpg:v0.3.0@sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f
- - name: Install gh-aw extension
- env:
- GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- run: |
- # Check if gh-aw extension is already installed
- if gh extension list | grep -q "github/gh-aw"; then
- echo "gh-aw extension already installed, upgrading..."
- gh extension upgrade gh-aw || true
- else
- echo "Installing gh-aw extension..."
- gh extension install github/gh-aw
- fi
- gh aw --version
- # Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization
- mkdir -p "${RUNNER_TEMP}/gh-aw"
- GH_AW_BIN=""
- GH_AW_BIN=$(command -v gh-aw 2>/dev/null) || true
- if [ -z "$GH_AW_BIN" ]; then
- GH_AW_BIN=$(find "${HOME}/.local/share/gh/extensions/gh-aw" -name 'gh-aw' -type f 2>/dev/null | head -1) || true
- fi
- if [ -n "$GH_AW_BIN" ] && [ -f "$GH_AW_BIN" ]; then
- cp "$GH_AW_BIN" "${RUNNER_TEMP}/gh-aw/gh-aw"
- chmod +x "${RUNNER_TEMP}/gh-aw/gh-aw"
- echo "Copied gh-aw binary to ${RUNNER_TEMP}/gh-aw/gh-aw"
- else
- echo "::error::Failed to find gh-aw binary for MCP server"
- exit 1
- fi
- - name: Write Safe Outputs Config
- env:
- GITHUB_WORKFLOW: ${{ github.workflow }}
- run: |
- mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs"
- mkdir -p /tmp/gh-aw/safeoutputs
- mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_40133fbc38ca5170_EOF
- {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":168,"fallback_to_issue":true,"max":1,"title_prefix":"[observability] "},"create_issue":{"close_older_issues":true,"labels":["agentics","warning","observability"],"max":1,"title_prefix":"[observability escalation] "},"create_report_incomplete_issue":{},"mentions":{"enabled":false},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"false"},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".svg"],"branch":"assets/${GITHUB_WORKFLOW}","max":4,"max-size":10240}}
- GH_AW_SAFE_OUTPUTS_CONFIG_40133fbc38ca5170_EOF
- - name: Write Safe Outputs Tools
- env:
- GH_AW_TOOLS_META_JSON: |
- {
- "description_suffixes": {
- "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[observability] \". Discussions will be created in category \"audits\".",
- "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[observability escalation] \". Labels [\"agentics\" \"warning\" \"observability\"] will be automatically added.",
- "upload_asset": " CONSTRAINTS: Maximum 4 asset(s) can be uploaded. Maximum file size: 10240KB. Allowed file extensions: [.png .svg]."
- },
- "repo_params": {},
- "dynamic_tools": []
- }
- GH_AW_VALIDATION_JSON: |
- {
- "create_discussion": {
- "defaultMax": 1,
- "fields": {
- "body": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- },
- "category": {
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- },
- "repo": {
- "type": "string",
- "maxLength": 256
- },
- "title": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- }
- }
- },
- "create_issue": {
- "defaultMax": 1,
- "fields": {
- "body": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- },
- "labels": {
- "type": "array",
- "itemType": "string",
- "itemSanitize": true,
- "itemMaxLength": 128
- },
- "parent": {
- "issueOrPRNumber": true
- },
- "repo": {
- "type": "string",
- "maxLength": 256
- },
- "temporary_id": {
- "type": "string"
- },
- "title": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- }
- }
- },
- "missing_data": {
- "defaultMax": 20,
- "fields": {
- "alternatives": {
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- },
- "context": {
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- },
- "data_type": {
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- },
- "reason": {
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- }
- }
- },
- "missing_tool": {
- "defaultMax": 20,
- "fields": {
- "alternatives": {
- "type": "string",
- "sanitize": true,
- "maxLength": 512
- },
- "reason": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- },
- "tool": {
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- }
- }
- },
- "noop": {
- "defaultMax": 1,
- "fields": {
- "message": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- }
- }
- },
- "report_incomplete": {
- "defaultMax": 5,
- "fields": {
- "details": {
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- },
- "reason": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 1024
- }
- }
- },
- "upload_asset": {
- "defaultMax": 10,
- "fields": {
- "path": {
- "required": true,
- "type": "string"
- }
- }
- }
- }
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_safe_outputs_tools.cjs');
- await main();
- - name: Generate Safe Outputs MCP Server Config
- id: safe-outputs-config
- run: |
- # Generate a secure random API key (360 bits of entropy, 40+ chars)
- # Mask immediately to prevent timing vulnerabilities
- API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
- echo "::add-mask::${API_KEY}"
-
- PORT=3001
-
- # Set outputs for next steps
- {
- echo "safe_outputs_api_key=${API_KEY}"
- echo "safe_outputs_port=${PORT}"
- } >> "$GITHUB_OUTPUT"
-
- echo "Safe Outputs MCP server will run on port ${PORT}"
-
- - name: Start Safe Outputs MCP HTTP Server
- id: safe-outputs-start
- env:
- DEBUG: '*'
- GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
- GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
- GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
- GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ runner.temp }}/gh-aw/safeoutputs/tools.json
- GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ runner.temp }}/gh-aw/safeoutputs/config.json
- GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
- run: |
- # Environment variables are set above to prevent template injection
- export DEBUG
- export GH_AW_SAFE_OUTPUTS
- export GH_AW_SAFE_OUTPUTS_PORT
- export GH_AW_SAFE_OUTPUTS_API_KEY
- export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
- export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
- export GH_AW_MCP_LOG_DIR
-
- bash "${RUNNER_TEMP}/gh-aw/actions/start_safe_outputs_server.sh"
-
- - name: Start MCP Gateway
- id: start-mcp-gateway
- env:
- GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }}
- GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }}
- GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}
- GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
- GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
- GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
- GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }}
- GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }}
- GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: |
- set -eo pipefail
- mkdir -p "${RUNNER_TEMP}/gh-aw/mcp-config"
-
- # Export gateway environment variables for MCP config and gateway script
- export MCP_GATEWAY_PORT="8080"
- export MCP_GATEWAY_DOMAIN="host.docker.internal"
- MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
- echo "::add-mask::${MCP_GATEWAY_API_KEY}"
- export MCP_GATEWAY_API_KEY
- export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads"
- mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}"
- export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288"
- export DEBUG="*"
-
- export GH_AW_ENGINE="copilot"
- export GH_AW_MCP_CLI_SERVERS='["agenticworkflows","safeoutputs"]'
- echo 'GH_AW_MCP_CLI_SERVERS=["agenticworkflows","safeoutputs"]' >> "$GITHUB_ENV"
- MCP_GATEWAY_UID=$(id -u 2>/dev/null || echo '0')
- MCP_GATEWAY_GID=$(id -g 2>/dev/null || echo '0')
- DOCKER_SOCK_GID=$(stat -c '%g' /var/run/docker.sock 2>/dev/null || echo '0')
- export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.0'
-
- mkdir -p /home/runner/.copilot
- GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)
- cat << GH_AW_MCP_CONFIG_aa0d60d1d95ecc00_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
- {
- "mcpServers": {
- "agenticworkflows": {
- "type": "stdio",
- "container": "localhost/gh-aw:dev",
- "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"],
- "args": ["--network", "host", "-w", "\${GITHUB_WORKSPACE}"],
- "env": {
- "DEBUG": "*",
- "GITHUB_TOKEN": "\${GITHUB_TOKEN}",
- "GITHUB_ACTOR": "\${GITHUB_ACTOR}",
- "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}"
- },
- "guard-policies": {
- "write-sink": {
- "accept": [
- "*"
- ]
- }
- }
- },
- "github": {
- "type": "stdio",
- "container": "ghcr.io/github/github-mcp-server:v1.0.3",
- "env": {
- "GITHUB_HOST": "\${GITHUB_SERVER_URL}",
- "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
- "GITHUB_READ_ONLY": "1",
- "GITHUB_TOOLSETS": "context,repos,issues,pull_requests,discussions"
- },
- "guard-policies": {
- "allow-only": {
- "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY",
- "repos": "$GITHUB_MCP_GUARD_REPOS"
- }
- }
- },
- "safeoutputs": {
- "type": "http",
- "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
- "headers": {
- "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
- },
- "guard-policies": {
- "write-sink": {
- "accept": [
- "*"
- ]
- }
- }
- }
- },
- "gateway": {
- "port": $MCP_GATEWAY_PORT,
- "domain": "${MCP_GATEWAY_DOMAIN}",
- "apiKey": "${MCP_GATEWAY_API_KEY}",
- "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}",
- "opentelemetry": {
- "endpoint": "${{ secrets.GH_AW_OTEL_ENDPOINT }}",
- "headers": "${OTEL_EXPORTER_OTLP_HEADERS}",
- "traceId": "${GITHUB_AW_OTEL_TRACE_ID}",
- "spanId": "${GITHUB_AW_OTEL_PARENT_SPAN_ID}"
- }
- }
- }
- GH_AW_MCP_CONFIG_aa0d60d1d95ecc00_EOF
- - name: Mount MCP servers as CLIs
- id: mount-mcp-clis
- continue-on-error: true
- env:
- MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
- MCP_GATEWAY_DOMAIN: ${{ steps.start-mcp-gateway.outputs.gateway-domain }}
- MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }}
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/mount_mcp_as_cli.cjs');
- await main();
- - name: Clean git credentials
- continue-on-error: true
- run: bash "${RUNNER_TEMP}/gh-aw/actions/clean_git_credentials.sh"
- - name: Execute GitHub Copilot CLI
- id: agentic_execution
- # Copilot CLI tool arguments (sorted):
- timeout-minutes: 30
- run: |
- set -o pipefail
- touch /tmp/gh-aw/agent-step-summary.md
- GH_AW_NODE_BIN=$(command -v node 2>/dev/null || true)
- export GH_AW_NODE_BIN
- (umask 177 && touch /tmp/gh-aw/agent-stdio.log)
- # shellcheck disable=SC1003
- sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --image-tag 0.25.28,squid=sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474,agent=sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a,api-proxy=sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb,cli-proxy=sha256:fdf310e4678ce58d248c466b89399e9680a3003038fd19322c388559016aaac7 --skip-pull --enable-api-proxy \
- -- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
- env:
- COPILOT_AGENT_RUNNER_TYPE: STANDALONE
- COPILOT_API_KEY: dummy-byok-key-for-offline-mode
- COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'claude-sonnet-4.6' }}
- GH_AW_ASSETS_ALLOWED_EXTS: ".png,.svg"
- GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}"
- GH_AW_ASSETS_MAX_SIZE_KB: 10240
- GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
- GH_AW_PHASE: agent
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
- GH_AW_VERSION: dev
- GITHUB_API_URL: ${{ github.api_url }}
- GITHUB_AW: true
- GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
- GITHUB_HEAD_REF: ${{ github.head_ref }}
- GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- GITHUB_REF_NAME: ${{ github.ref_name }}
- GITHUB_SERVER_URL: ${{ github.server_url }}
- GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
- GITHUB_WORKSPACE: ${{ github.workspace }}
- GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
- GIT_AUTHOR_NAME: github-actions[bot]
- GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
- GIT_COMMITTER_NAME: github-actions[bot]
- XDG_CONFIG_HOME: /home/runner
- - name: Detect Copilot errors
- id: detect-copilot-errors
- if: always()
- continue-on-error: true
- run: node "${RUNNER_TEMP}/gh-aw/actions/detect_copilot_errors.cjs"
- - name: Configure Git credentials
- env:
- REPO_NAME: ${{ github.repository }}
- SERVER_URL: ${{ github.server_url }}
- GITHUB_TOKEN: ${{ github.token }}
- run: |
- git config --global user.email "github-actions[bot]@users.noreply.github.com"
- git config --global user.name "github-actions[bot]"
- git config --global am.keepcr true
- # Re-authenticate git with GitHub token
- SERVER_URL_STRIPPED="${SERVER_URL#https://}"
- git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
- echo "Git configured with standard GitHub Actions identity"
- - name: Copy Copilot session state files to logs
- if: always()
- continue-on-error: true
- run: bash "${RUNNER_TEMP}/gh-aw/actions/copy_copilot_session_state.sh"
- - name: Stop MCP Gateway
- if: always()
- continue-on-error: true
- env:
- MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }}
- MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
- GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }}
- run: |
- bash "${RUNNER_TEMP}/gh-aw/actions/stop_mcp_gateway.sh" "$GATEWAY_PID"
- - name: Redact secrets in logs
- if: always()
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/redact_secrets.cjs');
- await main();
- env:
- GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_OTEL_ENDPOINT,GITHUB_TOKEN'
- SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
- SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
- SECRET_GH_AW_OTEL_ENDPOINT: ${{ secrets.GH_AW_OTEL_ENDPOINT }}
- SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- - name: Append agent step summary
- if: always()
- run: bash "${RUNNER_TEMP}/gh-aw/actions/append_agent_step_summary.sh"
- - name: Copy Safe Outputs
- if: always()
- env:
- GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
- run: |
- mkdir -p /tmp/gh-aw
- cp "$GH_AW_SAFE_OUTPUTS" /tmp/gh-aw/safeoutputs.jsonl 2>/dev/null || true
- - name: Ingest agent output
- id: collect_output
- if: always()
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
- GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com"
- GH_AW_ALLOWED_GITHUB_REFS: ""
- GITHUB_SERVER_URL: ${{ github.server_url }}
- GITHUB_API_URL: ${{ github.api_url }}
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/collect_ndjson_output.cjs');
- await main();
- - name: Parse agent logs for step summary
- if: always()
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_copilot_log.cjs');
- await main();
- - name: Parse MCP Gateway logs for step summary
- if: always()
- id: parse-mcp-gateway
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_mcp_gateway_log.cjs');
- await main();
- - name: Print firewall logs
- if: always()
- continue-on-error: true
- env:
- AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
- run: |
- # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts
- # AWF runs with sudo, creating files owned by root
- sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true
- # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
- if command -v awf &> /dev/null; then
- awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"
- else
- echo 'AWF binary not installed, skipping firewall log summary'
- fi
- - name: Parse token usage for step summary
- if: always()
- continue-on-error: true
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_token_usage.cjs');
- await main();
- - name: Generate observability summary
- if: always()
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_observability_summary.cjs');
- await main(core);
- - name: Write agent output placeholder if missing
- if: always()
- run: |
- if [ ! -f /tmp/gh-aw/agent_output.json ]; then
- echo '{"items":[]}' > /tmp/gh-aw/agent_output.json
- fi
- - name: Commit cache-memory changes
- if: always()
- env:
- GH_AW_CACHE_DIR: /tmp/gh-aw/cache-memory
- run: bash "${RUNNER_TEMP}/gh-aw/actions/commit_cache_memory_git.sh"
- - name: Upload cache-memory data as artifact
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- if: always()
- with:
- name: cache-memory
- path: /tmp/gh-aw/cache-memory
- # Upload safe-outputs assets for upload_assets job
- - name: Upload Safe Outputs Assets
- if: always()
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- with:
- name: safe-outputs-assets
- path: /tmp/gh-aw/safeoutputs/assets/
- retention-days: 1
- if-no-files-found: ignore
- - name: Upload agent artifacts
- if: always()
- continue-on-error: true
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- with:
- name: agent
- path: |
- /tmp/gh-aw/aw-prompts/prompt.txt
- /tmp/gh-aw/sandbox/agent/logs/
- /tmp/gh-aw/redacted-urls.log
- /tmp/gh-aw/mcp-logs/
- /tmp/gh-aw/agent_usage.json
- /tmp/gh-aw/agent-stdio.log
- /tmp/gh-aw/agent/
- /tmp/gh-aw/github_rate_limits.jsonl
- /tmp/gh-aw/otel.jsonl
- /tmp/gh-aw/safeoutputs.jsonl
- /tmp/gh-aw/agent_output.json
- /tmp/gh-aw/aw-*.patch
- /tmp/gh-aw/aw-*.bundle
- /tmp/gh-aw/sandbox/firewall/logs/
- /tmp/gh-aw/sandbox/firewall/audit/
- if-no-files-found: ignore
-
- conclusion:
- needs:
- - activation
- - agent
- - detection
- - safe_outputs
- - update_cache_memory
- - upload_assets
- if: >
- always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true' ||
- needs.activation.outputs.stale_lock_file_failed == 'true')
- runs-on: ubuntu-slim
- permissions:
- contents: read
- discussions: write
- issues: write
- concurrency:
- group: "gh-aw-conclusion-agentic-observability-kit"
- cancel-in-progress: false
- outputs:
- incomplete_count: ${{ steps.report_incomplete.outputs.incomplete_count }}
- noop_message: ${{ steps.noop.outputs.noop_message }}
- tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
- total_count: ${{ steps.missing_tool.outputs.total_count }}
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- trace-id: ${{ needs.activation.outputs.setup-trace-id }}
- - name: Download agent output artifact
- id: download-agent-output
- continue-on-error: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- with:
- name: agent
- path: /tmp/gh-aw/
- - name: Setup agent output environment variable
- id: setup-agent-output-env
- if: steps.download-agent-output.outcome == 'success'
- run: |
- mkdir -p /tmp/gh-aw/
- find "/tmp/gh-aw/" -type f -print
- echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
- - name: Process no-op messages
- id: noop
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
- GH_AW_NOOP_MAX: "1"
- GH_AW_WORKFLOW_NAME: "Agentic Observability Kit"
- GH_AW_TRACKER_ID: "agentic-observability-kit"
- GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
- GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
- GH_AW_NOOP_REPORT_AS_ISSUE: "false"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs');
- await main();
- - name: Log detection run
- id: detection_runs
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
- GH_AW_WORKFLOW_NAME: "Agentic Observability Kit"
- GH_AW_TRACKER_ID: "agentic-observability-kit"
- GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
- GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
- GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_detection_runs.cjs');
- await main();
- - name: Record missing tool
- id: missing_tool
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
- GH_AW_MISSING_TOOL_CREATE_ISSUE: "true"
- GH_AW_WORKFLOW_NAME: "Agentic Observability Kit"
- GH_AW_TRACKER_ID: "agentic-observability-kit"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/missing_tool.cjs');
- await main();
- - name: Record incomplete
- id: report_incomplete
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
- GH_AW_REPORT_INCOMPLETE_CREATE_ISSUE: "true"
- GH_AW_WORKFLOW_NAME: "Agentic Observability Kit"
- GH_AW_TRACKER_ID: "agentic-observability-kit"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/report_incomplete_handler.cjs');
- await main();
- - name: Handle agent failure
- id: handle_agent_failure
- if: always()
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
- GH_AW_WORKFLOW_NAME: "Agentic Observability Kit"
- GH_AW_TRACKER_ID: "agentic-observability-kit"
- GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
- GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
- GH_AW_WORKFLOW_ID: "agentic-observability-kit"
- GH_AW_ACTION_FAILURE_ISSUE_EXPIRES_HOURS: "12"
- GH_AW_ENGINE_ID: "copilot"
- GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }}
- GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
- GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }}
- GH_AW_MCP_POLICY_ERROR: ${{ needs.agent.outputs.mcp_policy_error }}
- GH_AW_AGENTIC_ENGINE_TIMEOUT: ${{ needs.agent.outputs.agentic_engine_timeout }}
- GH_AW_MODEL_NOT_SUPPORTED_ERROR: ${{ needs.agent.outputs.model_not_supported_error }}
- GH_AW_ENGINE_API_HOSTS: "api.enterprise.githubcopilot.com,api.githubcopilot.com,api.business.githubcopilot.com,api.individual.githubcopilot.com"
- GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }}
- GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }}
- GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }}
- GH_AW_STALE_LOCK_FILE_FAILED: ${{ needs.activation.outputs.stale_lock_file_failed }}
- GH_AW_GROUP_REPORTS: "false"
- GH_AW_FAILURE_REPORT_AS_ISSUE: "true"
- GH_AW_TIMEOUT_MINUTES: "30"
- GH_AW_CACHE_MEMORY_ENABLED: "true"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_agent_failure.cjs');
- await main();
-
- detection:
- needs:
- - activation
- - agent
- if: >
- always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true')
- runs-on: ubuntu-latest
- permissions:
- contents: read
- outputs:
- detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
- detection_reason: ${{ steps.detection_conclusion.outputs.reason }}
- detection_success: ${{ steps.detection_conclusion.outputs.success }}
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- trace-id: ${{ needs.activation.outputs.setup-trace-id }}
- - name: Download agent output artifact
- id: download-agent-output
- continue-on-error: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- with:
- name: agent
- path: /tmp/gh-aw/
- - name: Setup agent output environment variable
- id: setup-agent-output-env
- if: steps.download-agent-output.outcome == 'success'
- run: |
- mkdir -p /tmp/gh-aw/
- find "/tmp/gh-aw/" -type f -print
- echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
- - name: Checkout repository for patch context
- if: needs.agent.outputs.has_patch == 'true'
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- persist-credentials: false
- # --- Threat Detection ---
- - name: Clean stale firewall files from agent artifact
- run: |
- rm -rf /tmp/gh-aw/sandbox/firewall/logs
- rm -rf /tmp/gh-aw/sandbox/firewall/audit
- - name: Download container images
- run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474
- - name: Check if detection needed
- id: detection_guard
- if: always()
- env:
- OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }}
- HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
- run: |
- if [[ -n "$OUTPUT_TYPES" || "$HAS_PATCH" == "true" ]]; then
- echo "run_detection=true" >> "$GITHUB_OUTPUT"
- echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH"
- else
- echo "run_detection=false" >> "$GITHUB_OUTPUT"
- echo "Detection skipped: no agent outputs or patches to analyze"
- fi
- - name: Clear MCP Config for detection
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- run: |
- rm -f "${RUNNER_TEMP}/gh-aw/mcp-config/mcp-servers.json"
- rm -f /home/runner/.copilot/mcp-config.json
- rm -f "$GITHUB_WORKSPACE/.gemini/settings.json"
- - name: Prepare threat detection files
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- run: |
- mkdir -p /tmp/gh-aw/threat-detection/aw-prompts
- cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true
- cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null || true
- for f in /tmp/gh-aw/aw-*.patch; do
- [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
- done
- for f in /tmp/gh-aw/aw-*.bundle; do
- [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
- done
- echo "Prepared threat detection files:"
- ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true
- - name: Setup threat detection
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- WORKFLOW_NAME: "Agentic Observability Kit"
- WORKFLOW_DESCRIPTION: "Drop-in observability and portfolio review"
- HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/setup_threat_detection.cjs');
- await main();
- - name: Ensure threat-detection directory and log
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- run: |
- mkdir -p /tmp/gh-aw/threat-detection
- touch /tmp/gh-aw/threat-detection/detection.log
- - name: Setup Node.js
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
- with:
- node-version: '24'
- package-manager-cache: false
- - name: Install GitHub Copilot CLI
- run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.36
- env:
- GH_HOST: github.com
- - name: Install AWF binary
- run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.28
- - name: Execute GitHub Copilot CLI
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- id: detection_agentic_execution
- # Copilot CLI tool arguments (sorted):
- timeout-minutes: 20
- run: |
- set -o pipefail
- touch /tmp/gh-aw/agent-step-summary.md
- GH_AW_NODE_BIN=$(command -v node 2>/dev/null || true)
- export GH_AW_NODE_BIN
- (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log)
- # shellcheck disable=SC1003
- sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,telemetry.enterprise.githubcopilot.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --image-tag 0.25.28,squid=sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474,agent=sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a,api-proxy=sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb,cli-proxy=sha256:fdf310e4678ce58d248c466b89399e9680a3003038fd19322c388559016aaac7 --skip-pull --enable-api-proxy \
- -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
- env:
- COPILOT_AGENT_RUNNER_TYPE: STANDALONE
- COPILOT_API_KEY: dummy-byok-key-for-offline-mode
- COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
- COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || 'claude-sonnet-4.6' }}
- GH_AW_PHASE: detection
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_VERSION: dev
- GITHUB_API_URL: ${{ github.api_url }}
- GITHUB_AW: true
- GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
- GITHUB_HEAD_REF: ${{ github.head_ref }}
- GITHUB_REF_NAME: ${{ github.ref_name }}
- GITHUB_SERVER_URL: ${{ github.server_url }}
- GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
- GITHUB_WORKSPACE: ${{ github.workspace }}
- GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
- GIT_AUTHOR_NAME: github-actions[bot]
- GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
- GIT_COMMITTER_NAME: github-actions[bot]
- XDG_CONFIG_HOME: /home/runner
- - name: Upload threat detection log
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- with:
- name: detection
- path: /tmp/gh-aw/threat-detection/detection.log
- if-no-files-found: ignore
- - name: Parse and conclude threat detection
- id: detection_conclusion
- if: always()
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }}
- GH_AW_DETECTION_CONTINUE_ON_ERROR: "true"
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_threat_detection_results.cjs');
- await main();
-
- safe_outputs:
- needs:
- - activation
- - agent
- - detection
- if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
- runs-on: ubuntu-slim
- permissions:
- contents: read
- discussions: write
- issues: write
- concurrency:
- group: "agentic-observability-kit-safe-outputs"
- cancel-in-progress: false
- timeout-minutes: 15
- env:
- GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/agentic-observability-kit"
- GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
- GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
- GH_AW_EFFECTIVE_TOKENS: ${{ needs.agent.outputs.effective_tokens }}
- GH_AW_ENGINE_ID: "copilot"
- GH_AW_ENGINE_MODEL: ${{ needs.agent.outputs.model }}
- GH_AW_ENGINE_VERSION: "1.0.36"
- GH_AW_TRACKER_ID: "agentic-observability-kit"
- GH_AW_WORKFLOW_ID: "agentic-observability-kit"
- GH_AW_WORKFLOW_NAME: "Agentic Observability Kit"
- outputs:
- code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
- code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
- create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }}
- create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }}
- created_issue_number: ${{ steps.process_safe_outputs.outputs.created_issue_number }}
- created_issue_url: ${{ steps.process_safe_outputs.outputs.created_issue_url }}
- process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }}
- process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- trace-id: ${{ needs.activation.outputs.setup-trace-id }}
- - name: Mask OTLP telemetry headers
- run: bash "${RUNNER_TEMP}/gh-aw/actions/mask_otlp_headers.sh"
- - name: Download agent output artifact
- id: download-agent-output
- continue-on-error: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- with:
- name: agent
- path: /tmp/gh-aw/
- - name: Setup agent output environment variable
- id: setup-agent-output-env
- if: steps.download-agent-output.outcome == 'success'
- run: |
- mkdir -p /tmp/gh-aw/
- find "/tmp/gh-aw/" -type f -print
- echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
- - name: Configure GH_HOST for enterprise compatibility
- id: ghes-host-config
- shell: bash
- run: |
- # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
- # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
- GH_HOST="${GITHUB_SERVER_URL#https://}"
- GH_HOST="${GH_HOST#http://}"
- echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
- - name: Process Safe Outputs
- id: process_safe_outputs
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
- GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com"
- GITHUB_SERVER_URL: ${{ github.server_url }}
- GITHUB_API_URL: ${{ github.api_url }}
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_discussion\":{\"category\":\"audits\",\"close_older_discussions\":true,\"expires\":168,\"fallback_to_issue\":true,\"max\":1,\"title_prefix\":\"[observability] \"},\"create_issue\":{\"close_older_issues\":true,\"labels\":[\"agentics\",\"warning\",\"observability\"],\"max\":1,\"title_prefix\":\"[observability escalation] \"},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"false\"},\"report_incomplete\":{},\"upload_asset\":{\"allowed-exts\":[\".png\",\".svg\"],\"branch\":\"assets/${{ github.workflow }}\",\"max\":4,\"max-size\":10240}}"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/safe_output_handler_manager.cjs');
- await main();
- - name: Upload Safe Outputs Items
- if: always()
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- with:
- name: safe-outputs-items
- path: |
- /tmp/gh-aw/safe-output-items.jsonl
- /tmp/gh-aw/temporary-id-map.json
- if-no-files-found: ignore
-
- update_cache_memory:
- needs:
- - activation
- - agent
- - detection
- if: >
- always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') &&
- needs.agent.result == 'success'
- runs-on: ubuntu-slim
- permissions:
- contents: read
- env:
- GH_AW_WORKFLOW_ID_SANITIZED: agenticobservabilitykit
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- trace-id: ${{ needs.activation.outputs.setup-trace-id }}
- - name: Download cache-memory artifact (default)
- id: download_cache_default
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- continue-on-error: true
- with:
- name: cache-memory
- path: /tmp/gh-aw/cache-memory
- - name: Check if cache-memory folder has content (default)
- id: check_cache_default
- shell: bash
- run: |
- if [ -d "/tmp/gh-aw/cache-memory" ] && [ "$(ls -A /tmp/gh-aw/cache-memory 2>/dev/null)" ]; then
- echo "has_content=true" >> "$GITHUB_OUTPUT"
- else
- echo "has_content=false" >> "$GITHUB_OUTPUT"
- fi
- - name: Save cache-memory to cache (default)
- if: steps.check_cache_default.outputs.has_content == 'true'
- uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- with:
- key: memory-none-nopolicy-trending-data-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
- path: /tmp/gh-aw/cache-memory
-
- upload_assets:
- needs:
- - activation
- - agent
- if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset')
- runs-on: ubuntu-slim
- permissions:
- contents: write
- timeout-minutes: 10
- outputs:
- branch_name: ${{ steps.upload_assets.outputs.branch_name }}
- published_count: ${{ steps.upload_assets.outputs.published_count }}
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- trace-id: ${{ needs.activation.outputs.setup-trace-id }}
- - name: Checkout repository
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- persist-credentials: false
- fetch-depth: 0
- - name: Configure Git credentials
- env:
- REPO_NAME: ${{ github.repository }}
- SERVER_URL: ${{ github.server_url }}
- GITHUB_TOKEN: ${{ github.token }}
- run: |
- git config --global user.email "github-actions[bot]@users.noreply.github.com"
- git config --global user.name "github-actions[bot]"
- git config --global am.keepcr true
- # Re-authenticate git with GitHub token
- SERVER_URL_STRIPPED="${SERVER_URL#https://}"
- git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
- echo "Git configured with standard GitHub Actions identity"
- - name: Download assets
- continue-on-error: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- with:
- name: safe-outputs-assets
- path: /tmp/gh-aw/safeoutputs/assets/
- - name: List downloaded asset files
- continue-on-error: true
- run: |
- echo "Downloaded asset files:"
- find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls
- - name: Download agent output artifact
- id: download-agent-output
- continue-on-error: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- with:
- name: agent
- path: /tmp/gh-aw/
- - name: Setup agent output environment variable
- id: setup-agent-output-env
- if: steps.download-agent-output.outcome == 'success'
- run: |
- mkdir -p /tmp/gh-aw/
- find "/tmp/gh-aw/" -type f -print
- echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
- - name: Push assets
- id: upload_assets
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
- GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}"
- GH_AW_ASSETS_MAX_SIZE_KB: 10240
- GH_AW_ASSETS_ALLOWED_EXTS: ".png,.svg"
- GH_AW_WORKFLOW_NAME: "Agentic Observability Kit"
- GH_AW_TRACKER_ID: "agentic-observability-kit"
- GH_AW_ENGINE_ID: "copilot"
- GH_AW_ENGINE_VERSION: "1.0.36"
- GH_AW_ENGINE_MODEL: ${{ needs.agent.outputs.model }}
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/upload_assets.cjs');
- await main();
- - name: Restore actions folder
- if: always()
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions/setup
- sparse-checkout-cone-mode: true
- persist-credentials: false
-
diff --git a/.github/workflows/agentic-observability-kit.md b/.github/workflows/agentic-observability-kit.md
deleted file mode 100644
index 8512436a0f2..00000000000
--- a/.github/workflows/agentic-observability-kit.md
+++ /dev/null
@@ -1,565 +0,0 @@
----
-description: Drop-in observability and portfolio review
-on:
- schedule: weekly on monday around 08:00
- workflow_dispatch:
-permissions:
- contents: read
- actions: read
- issues: read
- pull-requests: read
- discussions: read
-engine: copilot
-strict: true
-tracker-id: agentic-observability-kit
-tools:
- cli-proxy: true
- agentic-workflows:
- github:
- toolsets: [default, discussions]
-safe-outputs:
- mentions: false
- allowed-github-references: []
- concurrency-group: "agentic-observability-kit-safe-outputs"
- create-issue:
- title-prefix: "[observability escalation] "
- labels: [agentics, warning, observability]
- close-older-issues: true
- max: 1
- upload-asset:
- max: 4
- allowed-exts: [.png, .svg]
- noop:
- report-as-issue: false
-timeout-minutes: 30
-imports:
- - uses: shared/daily-audit-charts.md
- with:
- title-prefix: "[observability] "
- expires: 7d
----
-# Agentic Observability Kit
-
-You are an agentic workflow observability analyst. Produce one executive report that teams can read quickly, and create at most one escalation issue only when repeated patterns show that repository owners need to take action.
-
-## Mission
-
-Review recent agentic workflow runs and surface the signals that matter operationally. Also include an evidence-based repository portfolio review so maintainers can spot low-value or overlapping workflows without running a separate workflow.
-
-The operational review remains primary. The portfolio review is a secondary appendix for repository maintainers, not a full organization-level governance exercise.
-
-Surface these signals:
-
-1. Repeated drift away from a successful baseline
-2. Weak control patterns such as new write posture, new MCP failures, or more blocked requests
-3. Resource-heavy runs that are expensive for the domain they serve
-4. Stable but low-value agentic runs that may be better as deterministic automation
-5. Delegated workflows that lost continuity or are no longer behaving like a consistent cohort
-6. Repository-local portfolio opportunities such as overlapping workflows, stale workflows, or high-cost workflows whose current usage does not justify their footprint
-
-Always create a discussion with the full report. Create an escalation issue only when repeated, actionable problems need durable owner follow-up.
-
-## Data Collection Rules
-
-- Use the `agentic-workflows` MCP tool, not shell commands.
-- Start with the `logs` tool over the last 30 days.
-- Leave `workflow_name` empty so you analyze the full repository.
-- Use `count` large enough to cover the repository, typically `300` to `500`.
-- Use the `audit` tool only for up to 3 runs that need deeper inspection.
-- Use the `github` tool only for targeted inspection of workflow files when schedule, trigger, or overlap questions need confirmation.
-- If there are very few runs, still produce a report and explain the limitation.
-
-Use the 30-day window for cost, repetition, and repository portfolio judgments. In the visible summary, emphasize the most recent 14 days when describing current regressions or urgent owner action.
-
-## Deterministic Episode Model
-
-The logs JSON now includes deterministic lineage fields:
-
-- `episodes[]` for aggregated execution episodes
-- `edges[]` for lineage edges between runs
-
-Treat those structures as the primary source of truth for graph shape, confidence, and episode rollups.
-
-Prefer `episodes[]` and `edges[]` over reconstructing DAGs from raw runs in prompt space. Only fall back to per-run interpretation when episode data is absent or clearly incomplete.
-
-## Signals To Use
-
-The logs JSON already contains the main agentic signals. Prefer these fields over ad hoc heuristics:
-
-- `episodes[].episode_id`
-- `episodes[].kind`
-- `episodes[].confidence`
-- `episodes[].reasons[]`
-- `episodes[].root_run_id`
-- `episodes[].run_ids[]`
-- `episodes[].workflow_names[]`
-- `episodes[].primary_workflow`
-- `episodes[].total_runs`
-- `episodes[].total_tokens`
-- `episodes[].total_estimated_cost`
-- `episodes[].total_duration`
-- `episodes[].risky_node_count`
-- `episodes[].changed_node_count`
-- `episodes[].write_capable_node_count`
-- `episodes[].mcp_failure_count`
-- `episodes[].blocked_request_count`
-- `episodes[].latest_success_fallback_count`
-- `episodes[].new_mcp_failure_run_count`
-- `episodes[].blocked_request_increase_run_count`
-- `episodes[].resource_heavy_node_count`
-- `episodes[].poor_control_node_count`
-- `episodes[].risk_distribution`
-- `episodes[].escalation_eligible`
-- `episodes[].escalation_reason`
-- `episodes[].suggested_route`
-- `edges[].edge_type`
-- `edges[].confidence`
-- `edges[].reasons[]`
-- `task_domain.name` and `task_domain.label`
-- `behavior_fingerprint.execution_style`
-- `behavior_fingerprint.tool_breadth`
-- `behavior_fingerprint.actuation_style`
-- `behavior_fingerprint.resource_profile`
-- `behavior_fingerprint.dispatch_mode`
-- `behavior_fingerprint.agentic_fraction`
-- `agentic_assessments[].kind`
-- `agentic_assessments[].severity`
-- `context.repo`
-- `context.run_id`
-- `context.workflow_id`
-- `context.workflow_call_id`
-- `context.event_type`
-- `comparison.baseline.selection`
-- `comparison.baseline.matched_on[]`
-- `comparison.classification.label`
-- `comparison.classification.reason_codes[]`
-- `comparison.recommendation.action`
-- `action_minutes` (estimated billable Actions minutes per run)
-- `summary.total_action_minutes`
-
-Treat these values as the canonical signals for reporting.
-
-## Interpretation Rules
-
-- Use episode-level analysis first. Do not treat connected runs as unrelated when `episodes[]` already groups them.
-- Use per-run detail only to explain which nodes contributed to an episode-level problem.
-- If an episode has low confidence, say so explicitly and avoid overconfident causal claims.
-- If delegated workers look risky in isolation but the enclosing episode looks intentional and well-controlled, say that.
-- If the deterministic episode model appears incomplete or missing expected lineage, report that as an observability finding.
-- Prefer `episodes[].escalation_eligible`, `episodes[].escalation_reason`, and `episodes[].suggested_route` when deciding what should be escalated and who should look first.
-
-## Reporting Model
-
-The discussion must stay concise and operator-friendly, but it should also provide immediate visual understanding.
-
-### Visible Summary
-
-Keep these sections visible:
-
-1. `### Executive Summary`
-2. `### Key Metrics`
-3. `### Highest Risk Episodes`
-4. `### Episode Regressions`
-5. `### Visual Diagnostics`
-6. `### Portfolio Opportunities`
-7. `### Recommended Actions`
-
-Keep each visible section compact. Prefer short numeric summaries, 1-line judgments, and only the highest-value episodes.
-
-Include small numeric summaries such as:
-
-- workflows analyzed
-- runs analyzed
-- episodes analyzed
-- high-confidence episodes analyzed
-- runs with `comparison.classification.label == "risky"`
-- runs with medium or high `agentic_assessments`
-- workflows with repeated `overkill_for_agentic`
-- workflows with `partially_reducible` or `model_downgrade_available` assessments
-- workflows whose comparisons mostly fell back to `latest_success`
-- workflows that look stale, overlapping, or weakly justified at repository scope
-
-### Details
-
-Put detailed per-workflow breakdowns inside `` blocks.
-
-The `### Portfolio Opportunities` section should stay short. It is a repository-maintainer appendix, not a full workflow inventory.
-
-### Visual Report Form
-
-Generate exactly 4 high-quality charts using Python, pandas, matplotlib, and seaborn. Save them to `/tmp/gh-aw/python/charts/`, upload them with `upload_asset`, and embed them in the discussion.
-
-The charts should feel analytical and scientific. Favor phase-space views, heatmaps, frontier plots, and portfolio maps over decorative graphics.
-
-Use these concrete derived metrics:
-
-- `episode_risk_score` = weighted sum of `risky_node_count`, `poor_control_node_count`, `mcp_failure_count`, `blocked_request_count`, `new_mcp_failure_run_count`, and `blocked_request_increase_run_count`, with an additional boost when `escalation_eligible == true`
-- `workflow_instability_score` = normalized combination of risky run rate, poor-control assessment rate, resource-heavy assessment rate, latest-success fallback rate, and blocked-request incidence
-- `workflow_value_proxy` = normalized combination of successful recent usage, cohort stability, repeat use, and absence of overkill or partially reducible signals
-- `workflow_overlap_score(a,b)` = blended similarity using task domain, workflow name or token overlap, trigger or schedule similarity from workflow files when inspected, behavioral fingerprint similarity, and common recommendation or assessment patterns in recent runs
-
-Use outcome-adjusted efficiency whenever the data supports it:
-
-- prefer `cost per successful run` over raw cost alone
-- prefer `effective tokens per successful run` over raw tokens alone
-- track tool or turn overhead as `median tool calls`, `unique tools`, and `turns` per successful run when possible
-- treat a lower-cost workflow as better only when success and control quality remain comparable
-- if `estimated_cost` is missing or zero for most workflows in the sample, switch the primary efficiency axis to `effective tokens per successful run` and state that choice explicitly in the report
-
-Required charts:
-
-1. **Episode Risk-Cost Frontier**
-
- Purpose: identify which execution chains are both expensive and risky.
-
- Build a scatter or bubble chart of the highest-cost or highest-risk episodes.
-
- - x-axis: `episodes[].total_estimated_cost`
- - y-axis: `episode_risk_score`
- - point size: `episodes[].total_runs`
- - point color: `episodes[].primary_workflow` or task domain
- - annotate the top outliers on the Pareto frontier
- - save to `/tmp/gh-aw/python/charts/episode_risk_cost_frontier.png`
-
- Use this chart to answer: which episodes need immediate optimization or escalation because they combine cost with instability?
-
-2. **Workflow Stability Matrix**
-
- Purpose: identify repeat offenders and stable outliers.
-
- Build a workflow-by-metric heatmap where rows are workflows and columns are:
-
- - risky run rate
- - latest-success fallback rate
- - resource-heavy assessment rate
- - poor-control assessment rate
- - blocked-request incidence
- - MCP failure incidence
-
- Sort rows by `workflow_instability_score` descending.
-
- Save to `/tmp/gh-aw/python/charts/workflow_stability_matrix.png`.
-
- Use this chart to answer: which workflows have chronic control or stability problems, and which ones are noisy only in one dimension?
-
-3. **Repository Portfolio Map**
-
- Purpose: separate workflows that should be kept, optimized, simplified, or reviewed.
-
- Build a scatter plot where each point is a workflow.
-
- - x-axis: recent cost, preferably `estimated_cost`, with effective tokens as fallback
- - y-axis: `workflow_value_proxy`
- - point size: recent run count
- - point color: dominant recommendation bucket such as `keep`, `optimize`, `simplify`, `review`
-
- Add quadrant labels:
-
- - high value, low cost = `keep`
- - high value, high cost = `optimize`
- - low value, low cost = `simplify`
- - low value, high cost = `review`
-
- Annotate the most extreme workflows and save to `/tmp/gh-aw/python/charts/repository_portfolio_map.png`.
-
- Use this chart to answer: which workflows deserve investment, which should be trimmed, and which demand a maintainer decision?
-
-4. **Workflow Overlap Matrix**
-
- Purpose: approximate portfolio overlap in a way that scales better than a literal Venn diagram.
-
- Build a symmetric workflow-by-workflow heatmap or clustered similarity matrix using `workflow_overlap_score(a,b)`.
-
- - use only the most relevant workflows to keep the matrix readable
- - cluster similar workflows together if possible
- - annotate the strongest non-trivial overlaps
- - save to `/tmp/gh-aw/python/charts/workflow_overlap_matrix.png`
-
- Use this chart to answer: which workflows may be solving the same problem, sharing the same trigger space, or creating consolidation candidates?
-
-### Domain-Specific Reading Rules
-
-Interpret the same signals differently by task domain.
-
-- `triage`, `repo_maintenance`, and `issue_response`: these are the strongest candidates for deterministic replacement, smaller models, and narrow-tool routing. Penalize broad tool use, exploratory behavior, and repeated overkill more heavily here.
-- `research`: tolerate broader tool breadth and exploratory behavior, but still penalize repeated high cost when it does not produce stable or differentiated value. Treat `partially_reducible` as especially important here because data gathering often belongs in deterministic pre-steps.
-- `code_fix`: judge cost together with stability and successful actuation. Higher cost may be justified when write actions are intentional and controlled. Penalize blocked requests, poor control, and unstable write behavior more than raw cost alone.
-- `release_ops`: prioritize reliability, repeatability, and low control friction. Moderate cost may be acceptable, but instability and fallback-heavy behavior are strong negatives.
-- `delegated_automation`: prefer episode-level reading over workflow-level reading. Do not penalize a delegated worker for local cost or risk without checking the enclosing episode.
-- `general_automation`: stay conservative and be explicit about uncertainty.
-
-When comparing workflows for portfolio decisions, compare workflows within similar task domains first. Avoid direct value claims between unlike domains unless the evidence is very strong.
-
-If task-domain coverage is weak, use a secondary grouping pass.
-
-- when most sampled runs collapse into `general_automation`, cluster workflows by behavior fingerprint and workflow family instead of pretending the domain split is precise
-- use execution style, resource profile, tool breadth, dispatch mode, and workflow-name family as the fallback comparison frame
-- say clearly when the portfolio view is behavior-clustered rather than domain-clustered
-
-Chart quality requirements:
-
-- 300 DPI minimum
-- 12x7 inch figures unless the chart needs a square heatmap layout
-- seaborn whitegrid or similarly clean scientific styling
-- clear legends, axis labels, and direct annotations for outliers
-- no chart should exist only for decoration; each one must support a decision in the report
-
-If the data is too sparse for one of these charts, generate a simpler fallback while preserving the same filename and explain the limitation briefly in the report.
-
-Embed the charts in `### Visual Diagnostics` with short, decision-oriented interpretation under each chart.
-
-### Visual Diagnostics Report Template
-
-Use this exact report form inside the discussion:
-
-```markdown
-### Visual Diagnostics
-
-#### 1. Episode Risk-Cost Frontier
-
-
-Decision:
-[One sentence naming the frontier episodes and the immediate implication.]
-
-Why it matters:
-[One or two sentences explaining whether the problem is cost-heavy, risk-heavy, or both.]
-
-#### 2. Workflow Stability Matrix
-
-
-Decision:
-[One sentence naming the least stable workflows or the most concentrated failure mode.]
-
-Why it matters:
-[One or two sentences explaining whether the repository has broad instability or a few repeat offenders.]
-
-#### 3. Repository Portfolio Map
-
-
-Decision:
-[One sentence naming the workflows that belong in keep, optimize, simplify, or review.]
-
-Why it matters:
-[One or two sentences explaining the portfolio tradeoff visible in the quadrants.]
-
-#### 4. Workflow Overlap Matrix
-
-
-Decision:
-[One sentence naming the strongest consolidation or overlap candidates.]
-
-Why it matters:
-[One or two sentences explaining whether the overlap appears real, weak, or uncertain.]
-```
-
-Each chart must end in a decision, not only an observation.
-
-Across the full report, prefer statements like `high cost but justified`, `cheap but unstable`, `expensive and dominated`, or `agentic overkill for this domain` over generic labels like `good` or `bad`.
-
-### Plot Construction Notes
-
-Write a Python script to `/tmp/gh-aw/python/agentic_observability_plots.py` and run it.
-
-Use pandas DataFrames for both episode-level and workflow-level aggregation.
-
-Recommended construction flow:
-
-1. Build an `episodes_df` with one row per episode using `episodes[]`.
-2. Build a `runs_df` with one row per run using `.runs[]`.
-3. Build a `workflow_df` by grouping `runs_df` by workflow name.
-4. Derive chart-specific metrics from those three tables.
-
-Use logic of this form:
-
-```python
-import numpy as np
-import pandas as pd
-
-def normalize(series):
- if series.empty:
- return series
- spread = series.max() - series.min()
- if spread == 0:
- return pd.Series([0.0] * len(series), index=series.index)
- return (series - series.min()) / spread
-
-episodes_df["episode_risk_score"] = (
- 1.0 * episodes_df["risky_node_count"].fillna(0)
- + 1.2 * episodes_df["poor_control_node_count"].fillna(0)
- + 1.2 * episodes_df["mcp_failure_count"].fillna(0)
- + 1.0 * episodes_df["blocked_request_count"].fillna(0)
- + 1.4 * episodes_df["new_mcp_failure_run_count"].fillna(0)
- + 1.4 * episodes_df["blocked_request_increase_run_count"].fillna(0)
- + 2.0 * episodes_df["escalation_eligible"].fillna(False).astype(int)
-)
-
-workflow_df["cost_per_successful_run"] = (
- workflow_df["estimated_cost_sum"] /
- workflow_df["successful_runs"].replace(0, np.nan)
-)
-
-workflow_df["workflow_instability_score"] = (
- 0.25 * normalize(workflow_df["risky_run_rate"].fillna(0))
- + 0.20 * normalize(workflow_df["poor_control_rate"].fillna(0))
- + 0.20 * normalize(workflow_df["resource_heavy_rate"].fillna(0))
- + 0.15 * normalize(workflow_df["latest_success_fallback_rate"].fillna(0))
- + 0.10 * normalize(workflow_df["blocked_request_rate"].fillna(0))
- + 0.10 * normalize(workflow_df["mcp_failure_rate"].fillna(0))
-)
-
-workflow_df["workflow_value_proxy"] = (
- 0.35 * normalize(workflow_df["successful_runs"].fillna(0))
- + 0.25 * (1.0 - normalize(workflow_df["workflow_instability_score"].fillna(0)))
- + 0.20 * normalize(workflow_df["repeat_use_score"].fillna(0))
- + 0.20 * (1.0 - normalize(workflow_df["overkill_or_reduction_signal_rate"].fillna(0)))
-)
-```
-
-For the overlap matrix, do not overclaim. Use a blended similarity score and label it as approximate when needed.
-
-Use logic of this form:
-
-```python
-def workflow_overlap_score(row_a, row_b):
- score = 0.0
- if row_a["task_domain"] == row_b["task_domain"]:
- score += 0.30
- if row_a["schedule_or_trigger_family"] == row_b["schedule_or_trigger_family"]:
- score += 0.25
- if row_a["behavior_cluster"] == row_b["behavior_cluster"]:
- score += 0.20
- score += 0.15 * row_a["name_similarity_to"][row_b["workflow_name"]]
- score += 0.10 * row_a["assessment_similarity_to"][row_b["workflow_name"]]
- return min(score, 1.0)
-```
-
-Fallback guidance:
-
-- if there are too few episodes for a meaningful frontier, plot only the top workflows by cost and annotate the limitation
-- if the overlap matrix is too sparse, restrict it to the top 8 to 12 workflows by recent cost, run volume, or instability
-- if successful-run counts are too low, fall back from cost-per-successful-run to recent cost with a clear caveat
-- if `estimated_cost` is sparse across the repository, fall back from recent cost to `effective_tokens` or `effective tokens per successful run`
-- if more than half of sampled runs are `general_automation`, add a note that domain confidence is low and use behavior clusters for portfolio comparisons
-- if `partially_reducible` is common across the sample, do not demote workflows on that signal alone; require repetition, high token overhead, or supporting instability before labeling a workflow `review`
-
-### What Good Reporting Looks Like
-
-For each highlighted episode or workflow, explain:
-
-- what domain it appears to belong to
-- what its behavioral fingerprint looks like
-- whether the deterministic graph shows an orchestrated DAG or delegated episode
-- whether the actor, cost, and risk seem to belong to the workflow itself or to a larger chain
-- what the episode confidence level is and why
-- whether it is stable against a cohort match or only compared to latest success
-- whether the risky behavior is new, repeated, or likely intentional
-- what a team should change next
-
-Do not turn the visible summary into a full inventory. Push secondary detail into `` blocks.
-
-## Evidence-Based Repository Portfolio Review
-
-Include an evidence-based repository portfolio review in the discussion. Keep it secondary to the operational review and bounded to what can be supported by recent run data plus targeted workflow-file inspection.
-
-Good repository-level portfolio questions include:
-
-- Which workflows appear repeatedly overkill for their task domain?
-- Which workflows look expensive relative to their recent value or stability?
-- Which workflows may overlap in purpose, trigger pattern, or schedule?
-- Which scheduled workflows look underused or weakly justified by recent activity?
-
-When making portfolio judgments:
-
-- Prefer evidence from recent run history, repeated assessments, and episode patterns.
-- Use targeted workflow-file inspection only to confirm schedule or trigger overlap.
-- Be explicit about uncertainty when recent data is too thin.
-- Do not claim repository-local overlap with high confidence unless names, task domains, run patterns, or workflow definitions materially support it.
-- Do not attempt organization-wide governance or replacement planning from this repository-level report.
-
-Treat these as optimization and cleanup opportunities unless they also cross the operational escalation thresholds.
-
-When the evidence supports it, use the visual charts to strengthen portfolio observations. For example, use the overlap matrix to support possible consolidation, or the portfolio map to justify why a workflow belongs in `optimize` rather than `retire`.
-
-## Escalation Thresholds
-
-Use the discussion as the complete source of truth for all qualifying workflows and episodes. Prefer episode-level escalation when `episodes[].escalation_eligible == true`. Only fall back to workflow-level counting when episode data is missing or clearly incomplete.
-
-An episode is escalation-worthy when the deterministic data shows repeated regression, especially when one of these is true:
-
-1. `episodes[].escalation_eligible == true`
-2. `episodes[].escalation_reason` indicates repeated risky runs, repeated new MCP failures, repeated blocked-request increases, repeated resource-heavy behavior, or repeated poor control
-
-If you need to fall back to workflow-level counting, use these thresholds over the last 14 days:
-
-1. Two or more runs for the same workflow have `comparison.classification.label == "risky"`.
-2. Two or more runs for the same workflow contain `new_mcp_failure` or `blocked_requests_increase` in `comparison.classification.reason_codes`.
-3. Two or more runs for the same workflow contain a medium or high severity `resource_heavy_for_domain` assessment.
-4. Two or more runs for the same workflow contain a medium or high severity `poor_agentic_control` assessment.
-
-Do not open one issue per workflow. Create at most one escalation issue for the whole run.
-
-If no workflow crosses these thresholds, do not create an escalation issue.
-
-If one or more workflows do cross these thresholds, create a single escalation issue that groups the highest-value follow-up work for repository owners. The escalation issue should summarize the workflows that need attention now, why they crossed the thresholds, and what change is recommended first.
-
-Prefer escalating at the episode level when multiple risky runs are part of one coherent DAG. Only fall back to workflow-level escalation when no broader episode can be established with acceptable confidence.
-
-When you escalate an episode, include its `suggested_route` and use that as the first routing hint. If the route is weak or ambiguous, say that explicitly and fall back to repository owners.
-
-## Optimization Candidates
-
-Do not create issues for these by default. Report them in the discussion unless they are severe and repeated:
-
-- repeated `overkill_for_agentic`
-- workflows that are consistently `lean`, `directed`, and `narrow`
-- workflows that are always compared using `latest_success` instead of `cohort_match`
-- workflows whose recent activity or cost makes them look weakly justified at repository scope
-- workflows that appear to overlap and could plausibly be consolidated
-
-These are portfolio cleanup opportunities, not immediate incidents.
-
-## Use Of Audit
-
-Use `audit` only when the logs summary is not enough to explain a top problem. Good audit candidates are:
-
-- the newest risky run for a workflow with repeated warnings
-- a run with a new MCP failure
-- a run that changed from read-only to write-capable posture
-
-When you use `audit`, fold the extra evidence back into the report instead of dumping raw output.
-
-## Output Requirements
-
-### Discussion
-
-Always create one discussion that includes:
-
-- the date range analyzed
-- any important orchestrator, worker, or workflow_run chains that materially change interpretation
-- the most important inferred episodes and their confidence levels
-- all workflows that crossed the escalation thresholds
-- the workflows with the clearest repeated risk
-- the most common assessment kinds
-- 4 embedded charts in a `### Visual Diagnostics` section
-- a short list of deterministic candidates
-- a short repository-level portfolio section covering stale, overlapping, or weakly justified workflows when the evidence supports it
-- a short list of workflows that need owner attention now
-
-The discussion should cover all qualifying workflows even when no escalation issue is created.
-
-### Issues
-
-Only create an escalation issue when at least one workflow crossed the escalation thresholds. When you do:
-
-- create one issue for the whole run, not one issue per workflow
-- use a concrete title that signals repository-level owner attention is needed
-- group the escalated workflows in priority order
-- group escalated episodes or workflows by `suggested_route` when that improves triage
-- explain the evidence with run counts and the specific assessment or comparison reason codes
-- include the most relevant recommendation for each escalated workflow
-- link up to 3 representative runs across the highest-priority workflows
-- make the issue concise enough to function as a backlog item, with the full detail living in the discussion
-
-### No-op
-
-If the repository has no recent runs or no report can be produced, call `noop` with a short explanation. Otherwise do not use `noop`.
diff --git a/.github/workflows/agentic-optimization-kit.lock.yml b/.github/workflows/agentic-optimization-kit.lock.yml
deleted file mode 100644
index 383a8cddec8..00000000000
--- a/.github/workflows/agentic-optimization-kit.lock.yml
+++ /dev/null
@@ -1,1816 +0,0 @@
-# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c7017f956faa900fdb3f6f7223bb436781c030e4e04ce7010792c0b4e4d7a468","strict":true,"agent_id":"copilot"}
-# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/cache/save","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"astral-sh/setup-uv","sha":"eac588ad8def6316056a12d4907a9d4d84ff7a3b","version":"eac588ad8def6316056a12d4907a9d4d84ff7a3b"},{"repo":"docker/build-push-action","sha":"bcafcacb16a39f128d818304e6c9c0c18556b85f","version":"v7.1.0"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.28","digest":"sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28","digest":"sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.28","digest":"sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.0","digest":"sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.0@sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d"},{"image":"ghcr.io/github/github-mcp-server:v1.0.3","digest":"sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
-# ___ _ _
-# / _ \ | | (_)
-# | |_| | __ _ ___ _ __ | |_ _ ___
-# | _ |/ _` |/ _ \ '_ \| __| |/ __|
-# | | | | (_| | __/ | | | |_| | (__
-# \_| |_/\__, |\___|_| |_|\__|_|\___|
-# __/ |
-# _ _ |___/
-# | | | | / _| |
-# | | | | ___ _ __ _ __| |_| | _____ ____
-# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___|
-# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \
-# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
-#
-# This file was automatically generated by gh-aw. DO NOT EDIT.
-#
-# To update this file, edit the corresponding .md file and run:
-# gh aw compile
-# Not all edits will cause changes to this file.
-#
-# For more information: https://github.github.com/gh-aw/introduction/overview/
-#
-# Weekly consolidated kit combining token audit, optimization targeting, and agentic observability into one actionable report with prompt artifacts
-#
-# Resolved workflow manifest:
-# Imports:
-# - copilot-setup-steps.yml
-# - shared/daily-audit-discussion.md
-# - shared/mcp/gh-aw.md
-# - shared/observability-otlp.md
-# - shared/repo-memory-standard.md
-# - shared/reporting.md
-# - shared/daily-audit-base.md
-# - shared/trending-charts-simple.md
-# - shared/daily-audit-charts.md
-#
-# Secrets used:
-# - GH_AW_GITHUB_MCP_SERVER_TOKEN
-# - GH_AW_GITHUB_TOKEN
-# - GH_AW_OTEL_ENDPOINT
-# - GH_AW_OTEL_HEADERS
-# - GITHUB_TOKEN
-#
-# Custom actions used:
-# - actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-# - actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-# - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-# - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-# - actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
-# - actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-# - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-# - actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-# - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-# - astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # eac588ad8def6316056a12d4907a9d4d84ff7a3b
-# - docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
-# - docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
-#
-# Container images used:
-# - ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a
-# - ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb
-# - ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474
-# - ghcr.io/github/gh-aw-mcpg:v0.3.0@sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d
-# - ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959
-# - node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f
-
-name: "Agentic Optimization Kit"
-"on":
- schedule:
- - cron: "14 21 * * 1"
- # Friendly format: weekly on monday (scattered)
- workflow_dispatch:
- inputs:
- aw_context:
- default: ""
- description: Agent caller context (used internally by Agentic Workflows).
- required: false
- type: string
-
-permissions: {}
-
-concurrency:
- group: "gh-aw-${{ github.workflow }}"
-
-run-name: "Agentic Optimization Kit"
-
-env:
- OTEL_EXPORTER_OTLP_ENDPOINT: ${{ secrets.GH_AW_OTEL_ENDPOINT }}
- OTEL_SERVICE_NAME: gh-aw
- OTEL_EXPORTER_OTLP_HEADERS: ${{ secrets.GH_AW_OTEL_HEADERS }}
-
-jobs:
- activation:
- runs-on: ubuntu-slim
- permissions:
- actions: read
- contents: read
- outputs:
- comment_id: ""
- comment_repo: ""
- engine_id: ${{ steps.generate_aw_info.outputs.engine_id }}
- lockdown_check_failed: ${{ steps.generate_aw_info.outputs.lockdown_check_failed == 'true' }}
- model: ${{ steps.generate_aw_info.outputs.model }}
- setup-trace-id: ${{ steps.setup.outputs.trace-id }}
- stale_lock_file_failed: ${{ steps.check-lock-file.outputs.stale_lock_file_failed == 'true' }}
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- - name: Mask OTLP telemetry headers
- run: bash "${RUNNER_TEMP}/gh-aw/actions/mask_otlp_headers.sh"
- - name: Generate agentic run info
- id: generate_aw_info
- env:
- GH_AW_INFO_ENGINE_ID: "copilot"
- GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI"
- GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'auto' }}
- GH_AW_INFO_VERSION: "1.0.36"
- GH_AW_INFO_AGENT_VERSION: "1.0.36"
- GH_AW_INFO_WORKFLOW_NAME: "Agentic Optimization Kit"
- GH_AW_INFO_EXPERIMENTAL: "false"
- GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true"
- GH_AW_INFO_STAGED: "false"
- GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","python"]'
- GH_AW_INFO_FIREWALL_ENABLED: "true"
- GH_AW_INFO_AWF_VERSION: "v0.25.28"
- GH_AW_INFO_AWMG_VERSION: ""
- GH_AW_INFO_FIREWALL_TYPE: "squid"
- GH_AW_COMPILED_STRICT: "true"
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_aw_info.cjs');
- await main(core, context);
- - name: Checkout .github and .agents folders
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- persist-credentials: false
- sparse-checkout: |
- .github
- .agents
- actions/setup
- .claude
- .codex
- .crush
- .gemini
- .opencode
- sparse-checkout-cone-mode: true
- fetch-depth: 1
- - name: Save agent config folders for base branch restoration
- env:
- GH_AW_AGENT_FOLDERS: ".agents .claude .codex .crush .gemini .github .opencode"
- GH_AW_AGENT_FILES: ".crush.json AGENTS.md CLAUDE.md GEMINI.md opencode.jsonc"
- # poutine:ignore untrusted_checkout_exec
- run: bash "${RUNNER_TEMP}/gh-aw/actions/save_base_github_folders.sh"
- - name: Check workflow lock file
- id: check-lock-file
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_WORKFLOW_FILE: "agentic-optimization-kit.lock.yml"
- GH_AW_CONTEXT_WORKFLOW_REF: "${{ github.workflow_ref }}"
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/check_workflow_timestamp_api.cjs');
- await main();
- - name: Create prompt with built-in context
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_SAFE_OUTPUTS: ${{ runner.temp }}/gh-aw/safeoutputs/outputs.jsonl
- GH_AW_GITHUB_ACTOR: ${{ github.actor }}
- GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
- GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
- GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
- GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
- GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
- GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
- GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
- GH_AW_WIKI_NOTE: ${{ '' }}
- # poutine:ignore untrusted_checkout_exec
- run: |
- bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh"
- {
- cat << 'GH_AW_PROMPT_36712a26122ad0ba_EOF'
-
- GH_AW_PROMPT_36712a26122ad0ba_EOF
- cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
- cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
- cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
- cat "${RUNNER_TEMP}/gh-aw/prompts/agentic_workflows_guide.md"
- cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md"
- cat "${RUNNER_TEMP}/gh-aw/prompts/repo_memory_prompt.md"
- cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_36712a26122ad0ba_EOF'
-
- Tools: create_issue, create_discussion, upload_asset(max:5), missing_tool, missing_data, noop
-
- upload_asset: provide a file path; returns a URL; assets are published after the workflow completes (safeoutputs).
-
- GH_AW_PROMPT_36712a26122ad0ba_EOF
- cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md"
- cat << 'GH_AW_PROMPT_36712a26122ad0ba_EOF'
-
- The following GitHub context information is available for this workflow:
- {{#if __GH_AW_GITHUB_ACTOR__ }}
- - **actor**: __GH_AW_GITHUB_ACTOR__
- {{/if}}
- {{#if __GH_AW_GITHUB_REPOSITORY__ }}
- - **repository**: __GH_AW_GITHUB_REPOSITORY__
- {{/if}}
- {{#if __GH_AW_GITHUB_WORKSPACE__ }}
- - **workspace**: __GH_AW_GITHUB_WORKSPACE__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }}
- - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }}
- - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }}
- - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__
- {{/if}}
- {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }}
- - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__
- {{/if}}
- {{#if __GH_AW_GITHUB_RUN_ID__ }}
- - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__
- {{/if}}
-
-
- GH_AW_PROMPT_36712a26122ad0ba_EOF
- cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_36712a26122ad0ba_EOF'
-
- {{#runtime-import .github/workflows/shared/mcp/gh-aw.md}}
- {{#runtime-import .github/workflows/shared/trending-charts-simple.md}}
- {{#runtime-import .github/workflows/shared/reporting.md}}
- {{#runtime-import .github/workflows/shared/observability-otlp.md}}
- {{#runtime-import .github/workflows/agentic-optimization-kit.md}}
- GH_AW_PROMPT_36712a26122ad0ba_EOF
- } > "$GH_AW_PROMPT"
- - name: Interpolate variables and render templates
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/interpolate_prompt.cjs');
- await main();
- - name: Substitute placeholders
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_ALLOWED_EXTENSIONS: ''
- GH_AW_CACHE_DESCRIPTION: ''
- GH_AW_CACHE_DIR: '/tmp/gh-aw/cache-memory/'
- GH_AW_GITHUB_ACTOR: ${{ github.actor }}
- GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
- GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
- GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
- GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
- GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
- GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
- GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
- GH_AW_MCP_CLI_SERVERS_LIST: "- `agenticworkflows` β run `agenticworkflows --help` to see available tools\n- `safeoutputs` β run `safeoutputs --help` to see available tools"
- GH_AW_MEMORY_BRANCH_NAME: 'memory/token-audit'
- GH_AW_MEMORY_CONSTRAINTS: "\n\n**Constraints:**\n- **Allowed Files**: Only files matching patterns: *.json, *.jsonl, *.csv, *.md\n- **Max File Size**: 102400 bytes (0.10 MB) per file\n- **Max File Count**: 100 files per commit\n- **Max Patch Size**: 51200 bytes (50 KB) total per push (max: 100 KB)\n"
- GH_AW_MEMORY_DESCRIPTION: ' Historical daily Copilot token usage snapshots (shared with copilot-token-audit)'
- GH_AW_MEMORY_DIR: '/tmp/gh-aw/repo-memory/default/'
- GH_AW_MEMORY_TARGET_REPO: ' of the current repository'
- GH_AW_WIKI_NOTE: ''
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
-
- const substitutePlaceholders = require('${{ runner.temp }}/gh-aw/actions/substitute_placeholders.cjs');
-
- // Call the substitution function
- return await substitutePlaceholders({
- file: process.env.GH_AW_PROMPT,
- substitutions: {
- GH_AW_ALLOWED_EXTENSIONS: process.env.GH_AW_ALLOWED_EXTENSIONS,
- GH_AW_CACHE_DESCRIPTION: process.env.GH_AW_CACHE_DESCRIPTION,
- GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR,
- GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR,
- GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID,
- GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER,
- GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER,
- GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER,
- GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY,
- GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID,
- GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE,
- GH_AW_MCP_CLI_SERVERS_LIST: process.env.GH_AW_MCP_CLI_SERVERS_LIST,
- GH_AW_MEMORY_BRANCH_NAME: process.env.GH_AW_MEMORY_BRANCH_NAME,
- GH_AW_MEMORY_CONSTRAINTS: process.env.GH_AW_MEMORY_CONSTRAINTS,
- GH_AW_MEMORY_DESCRIPTION: process.env.GH_AW_MEMORY_DESCRIPTION,
- GH_AW_MEMORY_DIR: process.env.GH_AW_MEMORY_DIR,
- GH_AW_MEMORY_TARGET_REPO: process.env.GH_AW_MEMORY_TARGET_REPO,
- GH_AW_WIKI_NOTE: process.env.GH_AW_WIKI_NOTE
- }
- });
- - name: Validate prompt placeholders
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- # poutine:ignore untrusted_checkout_exec
- run: bash "${RUNNER_TEMP}/gh-aw/actions/validate_prompt_placeholders.sh"
- - name: Print prompt
- env:
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- # poutine:ignore untrusted_checkout_exec
- run: bash "${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh"
- - name: Upload activation artifact
- if: success()
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- with:
- name: activation
- path: |
- /tmp/gh-aw/aw_info.json
- /tmp/gh-aw/aw-prompts/prompt.txt
- /tmp/gh-aw/github_rate_limits.jsonl
- /tmp/gh-aw/base
- if-no-files-found: ignore
- retention-days: 1
-
- agent:
- needs: activation
- runs-on: ubuntu-latest
- permissions:
- actions: read
- contents: read
- copilot-requests: write
- discussions: read
- issues: read
- pull-requests: read
- concurrency:
- group: "gh-aw-copilot-${{ github.workflow }}"
- env:
- DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
- GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg,.svg"
- GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}"
- GH_AW_ASSETS_MAX_SIZE_KB: 10240
- GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
- GH_AW_WORKFLOW_ID_SANITIZED: agenticoptimizationkit
- outputs:
- agentic_engine_timeout: ${{ steps.detect-copilot-errors.outputs.agentic_engine_timeout || 'false' }}
- checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}
- effective_tokens: ${{ steps.parse-mcp-gateway.outputs.effective_tokens }}
- has_patch: ${{ steps.collect_output.outputs.has_patch }}
- inference_access_error: ${{ steps.detect-copilot-errors.outputs.inference_access_error || 'false' }}
- mcp_policy_error: ${{ steps.detect-copilot-errors.outputs.mcp_policy_error || 'false' }}
- model: ${{ needs.activation.outputs.model }}
- model_not_supported_error: ${{ steps.detect-copilot-errors.outputs.model_not_supported_error || 'false' }}
- output: ${{ steps.collect_output.outputs.output }}
- output_types: ${{ steps.collect_output.outputs.output_types }}
- setup-trace-id: ${{ steps.setup.outputs.trace-id }}
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- trace-id: ${{ needs.activation.outputs.setup-trace-id }}
- - name: Set runtime paths
- id: set-runtime-paths
- run: |
- {
- echo "GH_AW_SAFE_OUTPUTS=${RUNNER_TEMP}/gh-aw/safeoutputs/outputs.jsonl"
- echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/config.json"
- echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/tools.json"
- } >> "$GITHUB_OUTPUT"
- - name: Mask OTLP telemetry headers
- run: bash "${RUNNER_TEMP}/gh-aw/actions/mask_otlp_headers.sh"
- - name: Checkout repository
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- persist-credentials: false
- - name: Setup Go for CLI build
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
- with:
- go-version-file: go.mod
- cache: true
- - name: Build gh-aw CLI
- run: |
- echo "Building gh-aw CLI for linux/amd64..."
- mkdir -p dist
- VERSION=$(git describe --tags --always --dirty)
- CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
- -ldflags "-s -w -X main.version=${VERSION}" \
- -o dist/gh-aw-linux-amd64 \
- ./cmd/gh-aw
- # Copy binary to root for direct execution in user-defined steps
- cp dist/gh-aw-linux-amd64 ./gh-aw
- chmod +x ./gh-aw
- echo "β Built gh-aw CLI successfully"
- - name: Setup Docker Buildx
- uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
- - name: Build gh-aw Docker image
- uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
- with:
- context: .
- platforms: linux/amd64
- push: false
- load: true
- tags: localhost/gh-aw:dev
- build-args: |
- BINARY=dist/gh-aw-linux-amd64
- - name: Setup Go
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
- with:
- go-version: '1.25'
- cache: false
- - name: Capture GOROOT for AWF chroot mode
- run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV"
- - name: Setup Node.js
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
- with:
- node-version: '24'
- cache: 'npm'
- cache-dependency-path: 'actions/setup/js/package-lock.json'
- package-manager-cache: false
- - name: Setup Python
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
- with:
- python-version: '3.12'
- - name: Create gh-aw temp directory
- run: bash "${RUNNER_TEMP}/gh-aw/actions/create_gh_aw_tmp_dir.sh"
- - name: Configure gh CLI for GitHub Enterprise
- run: bash "${RUNNER_TEMP}/gh-aw/actions/configure_gh_for_ghe.sh"
- env:
- GH_TOKEN: ${{ github.token }}
- - name: Install gh-aw extension
- run: curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash
- - name: Install npm dependencies
- run: cd actions/setup/js && npm ci
- - name: Install development dependencies
- run: make deps-dev
- - name: Build code
- run: make build
- - env:
- GH_TOKEN: ${{ github.token }}
- name: Recompile workflows
- run: make recompile || true
- - name: Setup uv
- uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # eac588ad8def6316056a12d4907a9d4d84ff7a3b
- - name: Install Go language server (gopls)
- run: go install golang.org/x/tools/gopls@latest
- - name: Install TypeScript language server
- run: npm install -g typescript-language-server typescript
- - env:
- GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- name: Install gh-aw extension
- run: "# Install gh-aw if not already available\nif ! gh aw --version >/dev/null 2>&1; then\n echo \"Installing gh-aw extension...\"\n curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash\nfi\ngh aw --version\n# Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization\nmkdir -p \"${RUNNER_TEMP}/gh-aw\"\nGH_AW_BIN=\"\"\nGH_AW_BIN=$(command -v gh-aw 2>/dev/null) || true\nif [ -z \"$GH_AW_BIN\" ]; then\n GH_AW_BIN=$(find \"${HOME}/.local/share/gh/extensions/gh-aw\" -name 'gh-aw' -type f 2>/dev/null | head -1) || true\nfi\nif [ -n \"$GH_AW_BIN\" ] && [ -f \"$GH_AW_BIN\" ]; then\n cp \"$GH_AW_BIN\" \"${RUNNER_TEMP}/gh-aw/gh-aw\"\n chmod +x \"${RUNNER_TEMP}/gh-aw/gh-aw\"\n echo \"Copied gh-aw binary to ${RUNNER_TEMP}/gh-aw/gh-aw\"\nelse\n echo \"::error::Failed to find gh-aw binary for MCP server\"\n exit 1\nfi\n"
- - name: Setup Python environment
- run: "mkdir -p /tmp/gh-aw/python/{data,charts,artifacts}\n# Create a virtual environment for proper package isolation (avoids --break-system-packages)\nif [ ! -d /tmp/gh-aw/venv ]; then\n python3 -m venv /tmp/gh-aw/venv\nfi\necho \"/tmp/gh-aw/venv/bin\" >> \"$GITHUB_PATH\"\n/tmp/gh-aw/venv/bin/pip install --quiet numpy pandas matplotlib seaborn scipy\n"
- - if: always()
- name: Upload source files and data
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- with:
- if-no-files-found: warn
- name: trending-source-and-data
- path: |
- /tmp/gh-aw/python/*.py
- /tmp/gh-aw/python/data/*
- retention-days: 30
- - env:
- GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Download Copilot workflow logs
- run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/token-audit\n\necho \"π₯ Downloading Copilot workflow logs (last 7 days, up to 500 runs)...\"\n\nLOGS_EXIT=0\ngh aw logs \\\n --engine copilot \\\n --start-date -7d \\\n --json \\\n -c 500 \\\n > /tmp/gh-aw/token-audit/all-runs.json || LOGS_EXIT=$?\n\nif [ -s /tmp/gh-aw/token-audit/all-runs.json ]; then\n TOTAL=$(jq '.runs | length' /tmp/gh-aw/token-audit/all-runs.json)\n echo \"β
Downloaded $TOTAL Copilot workflow runs\"\n if [ \"$LOGS_EXIT\" -ne 0 ]; then\n echo \"β οΈ gh aw logs exited with code $LOGS_EXIT (partial results β likely API rate limit)\"\n fi\nelse\n echo \"β No log data downloaded (exit code $LOGS_EXIT)\"\n echo '{\"runs\":[],\"summary\":{}}' > /tmp/gh-aw/token-audit/all-runs.json\nfi\n"
- - name: Pre-aggregate top workflows by token usage
- run: "set -euo pipefail\nmkdir -p /tmp/gh-aw/token-audit\n\njq '{\n generated_at: (now | todateiso8601),\n window_days: 7,\n top_workflows: (\n [.runs[]\n | select(.status == \"completed\")\n | {\n workflow_name: .workflow_name,\n tokens: (.token_usage // 0),\n effective_tokens: (.effective_tokens // 0),\n cost: (.estimated_cost // 0),\n turns: (.turns // 0),\n action_minutes: (.action_minutes // 0),\n error_count: (.error_count // 0),\n warning_count: (.warning_count // 0)\n }\n ]\n | sort_by(.workflow_name)\n | group_by(.workflow_name)\n | map({\n workflow_name: .[0].workflow_name,\n run_count: length,\n total_tokens: (map(.tokens) | add // 0),\n avg_tokens: ((map(.tokens) | add // 0) / length),\n total_effective_tokens: (map(.effective_tokens) | add // 0),\n total_cost: (map(.cost) | add // 0),\n avg_cost: ((map(.cost) | add // 0) / length),\n total_turns: (map(.turns) | add // 0),\n avg_turns: ((map(.turns) | add // 0) / length),\n total_action_minutes: (map(.action_minutes) | add // 0),\n total_errors: (map(.error_count) | add // 0),\n total_warnings: (map(.warning_count) | add // 0)\n })\n | sort_by(.total_tokens)\n | reverse\n | .[:10]\n )\n}' /tmp/gh-aw/token-audit/all-runs.json > /tmp/gh-aw/token-audit/top-workflows.json\n\necho \"β
Pre-aggregated top workflows\"\njq '.top_workflows[] | \"\\(.workflow_name): \\(.total_tokens) tokens\"' -r /tmp/gh-aw/token-audit/top-workflows.json\n"
- - name: Load optimization history from repo-memory
- run: "set -euo pipefail\n\nOPT_LOG=\"/tmp/gh-aw/repo-memory/default/optimization-log.json\"\nROLLING=\"/tmp/gh-aw/repo-memory/default/rolling-summary.json\"\n\nif [ -f \"$OPT_LOG\" ]; then\n echo \"β
Previous optimizations:\"\n jq -r '.[] | \"\\(.date): \\(.workflow_name)\"' \"$OPT_LOG\" | tail -10\nelse\n echo \"βΉοΈ No previous optimization history found.\"\nfi\n\nif [ -f \"$ROLLING\" ]; then\n echo \"β
Rolling summary entries: $(jq 'length' \"$ROLLING\")\"\nelse\n echo \"βΉοΈ No rolling summary found.\"\nfi\n"
-
- # Cache memory file share configuration from frontmatter processed below
- - name: Create cache-memory directory
- run: bash "${RUNNER_TEMP}/gh-aw/actions/create_cache_memory_dir.sh"
- - name: Restore cache-memory file share data
- uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- with:
- key: memory-none-nopolicy-trending-data-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
- path: /tmp/gh-aw/cache-memory
- restore-keys: |
- memory-none-nopolicy-trending-data-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-
- - name: Setup cache-memory git repository
- env:
- GH_AW_CACHE_DIR: /tmp/gh-aw/cache-memory
- GH_AW_MIN_INTEGRITY: none
- run: bash "${RUNNER_TEMP}/gh-aw/actions/setup_cache_memory_git.sh"
- # Repo memory git-based storage configuration from frontmatter processed below
- - name: Clone repo-memory branch (default)
- env:
- GH_TOKEN: ${{ github.token }}
- GITHUB_SERVER_URL: ${{ github.server_url }}
- BRANCH_NAME: memory/token-audit
- TARGET_REPO: ${{ github.repository }}
- MEMORY_DIR: /tmp/gh-aw/repo-memory/default
- CREATE_ORPHAN: true
- run: bash "${RUNNER_TEMP}/gh-aw/actions/clone_repo_memory_branch.sh"
- - name: Configure Git credentials
- env:
- REPO_NAME: ${{ github.repository }}
- SERVER_URL: ${{ github.server_url }}
- GITHUB_TOKEN: ${{ github.token }}
- run: |
- git config --global user.email "github-actions[bot]@users.noreply.github.com"
- git config --global user.name "github-actions[bot]"
- git config --global am.keepcr true
- # Re-authenticate git with GitHub token
- SERVER_URL_STRIPPED="${SERVER_URL#https://}"
- git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
- echo "Git configured with standard GitHub Actions identity"
- - name: Checkout PR branch
- id: checkout-pr
- if: |
- github.event.pull_request || github.event.issue.pull_request
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs');
- await main();
- - name: Install GitHub Copilot CLI
- run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.36
- env:
- GH_HOST: github.com
- - name: Install AWF binary
- run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.28
- - name: Determine automatic lockdown mode for GitHub MCP Server
- id: determine-automatic-lockdown
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
- GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
- with:
- script: |
- const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs');
- await determineAutomaticLockdown(github, context, core);
- - name: Download activation artifact
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- with:
- name: activation
- path: /tmp/gh-aw
- - name: Restore agent config folders from base branch
- if: steps.checkout-pr.outcome == 'success'
- env:
- GH_AW_AGENT_FOLDERS: ".agents .claude .codex .crush .gemini .github .opencode"
- GH_AW_AGENT_FILES: ".crush.json AGENTS.md CLAUDE.md GEMINI.md opencode.jsonc"
- run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_base_github_folders.sh"
- - name: Download container images
- run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474 ghcr.io/github/gh-aw-mcpg:v0.3.0@sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f
- - name: Write Safe Outputs Config
- env:
- GITHUB_WORKFLOW: ${{ github.workflow }}
- run: |
- mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs"
- mkdir -p /tmp/gh-aw/safeoutputs
- mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << GH_AW_SAFE_OUTPUTS_CONFIG_3681eb46b8b94953_EOF
- {"create_discussion":{"category":"audits","close_older_discussions":true,"expires":168,"fallback_to_issue":true,"max":1,"title_prefix":"[agentic-optimization-kit] "},"create_issue":{"close_older_issues":true,"labels":["agentics","warning","observability"],"max":1,"title_prefix":"[agentic-optimization escalation] "},"create_report_incomplete_issue":{},"mentions":{"enabled":false},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"false"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":51200}]},"report_incomplete":{},"upload_asset":{"allowed-exts":[".png",".jpg",".jpeg",".svg"],"branch":"assets/${GITHUB_WORKFLOW}","max":5,"max-size":10240}}
- GH_AW_SAFE_OUTPUTS_CONFIG_3681eb46b8b94953_EOF
- - name: Write Safe Outputs Tools
- env:
- GH_AW_TOOLS_META_JSON: |
- {
- "description_suffixes": {
- "create_discussion": " CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[agentic-optimization-kit] \". Discussions will be created in category \"audits\".",
- "create_issue": " CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[agentic-optimization escalation] \". Labels [\"agentics\" \"warning\" \"observability\"] will be automatically added.",
- "upload_asset": " CONSTRAINTS: Maximum 5 asset(s) can be uploaded. Maximum file size: 10240KB. Allowed file extensions: [.png .jpg .jpeg .svg]."
- },
- "repo_params": {},
- "dynamic_tools": []
- }
- GH_AW_VALIDATION_JSON: |
- {
- "create_discussion": {
- "defaultMax": 1,
- "fields": {
- "body": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- },
- "category": {
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- },
- "repo": {
- "type": "string",
- "maxLength": 256
- },
- "title": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- }
- }
- },
- "create_issue": {
- "defaultMax": 1,
- "fields": {
- "body": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- },
- "labels": {
- "type": "array",
- "itemType": "string",
- "itemSanitize": true,
- "itemMaxLength": 128
- },
- "parent": {
- "issueOrPRNumber": true
- },
- "repo": {
- "type": "string",
- "maxLength": 256
- },
- "temporary_id": {
- "type": "string"
- },
- "title": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- }
- }
- },
- "missing_data": {
- "defaultMax": 20,
- "fields": {
- "alternatives": {
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- },
- "context": {
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- },
- "data_type": {
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- },
- "reason": {
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- }
- }
- },
- "missing_tool": {
- "defaultMax": 20,
- "fields": {
- "alternatives": {
- "type": "string",
- "sanitize": true,
- "maxLength": 512
- },
- "reason": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 256
- },
- "tool": {
- "type": "string",
- "sanitize": true,
- "maxLength": 128
- }
- }
- },
- "noop": {
- "defaultMax": 1,
- "fields": {
- "message": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- }
- }
- },
- "report_incomplete": {
- "defaultMax": 5,
- "fields": {
- "details": {
- "type": "string",
- "sanitize": true,
- "maxLength": 65000
- },
- "reason": {
- "required": true,
- "type": "string",
- "sanitize": true,
- "maxLength": 1024
- }
- }
- },
- "upload_asset": {
- "defaultMax": 10,
- "fields": {
- "path": {
- "required": true,
- "type": "string"
- }
- }
- }
- }
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_safe_outputs_tools.cjs');
- await main();
- - name: Generate Safe Outputs MCP Server Config
- id: safe-outputs-config
- run: |
- # Generate a secure random API key (360 bits of entropy, 40+ chars)
- # Mask immediately to prevent timing vulnerabilities
- API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
- echo "::add-mask::${API_KEY}"
-
- PORT=3001
-
- # Set outputs for next steps
- {
- echo "safe_outputs_api_key=${API_KEY}"
- echo "safe_outputs_port=${PORT}"
- } >> "$GITHUB_OUTPUT"
-
- echo "Safe Outputs MCP server will run on port ${PORT}"
-
- - name: Start Safe Outputs MCP HTTP Server
- id: safe-outputs-start
- env:
- DEBUG: '*'
- GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
- GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }}
- GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }}
- GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ runner.temp }}/gh-aw/safeoutputs/tools.json
- GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ runner.temp }}/gh-aw/safeoutputs/config.json
- GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
- run: |
- # Environment variables are set above to prevent template injection
- export DEBUG
- export GH_AW_SAFE_OUTPUTS
- export GH_AW_SAFE_OUTPUTS_PORT
- export GH_AW_SAFE_OUTPUTS_API_KEY
- export GH_AW_SAFE_OUTPUTS_TOOLS_PATH
- export GH_AW_SAFE_OUTPUTS_CONFIG_PATH
- export GH_AW_MCP_LOG_DIR
-
- bash "${RUNNER_TEMP}/gh-aw/actions/start_safe_outputs_server.sh"
-
- - name: Start MCP Gateway
- id: start-mcp-gateway
- env:
- GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }}
- GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }}
- GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}
- GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
- GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
- GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
- GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }}
- GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }}
- GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: |
- set -eo pipefail
- mkdir -p "${RUNNER_TEMP}/gh-aw/mcp-config"
-
- # Export gateway environment variables for MCP config and gateway script
- export MCP_GATEWAY_PORT="8080"
- export MCP_GATEWAY_DOMAIN="host.docker.internal"
- MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
- echo "::add-mask::${MCP_GATEWAY_API_KEY}"
- export MCP_GATEWAY_API_KEY
- export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads"
- mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}"
- export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288"
- export DEBUG="*"
-
- export GH_AW_ENGINE="copilot"
- export GH_AW_MCP_CLI_SERVERS='["agenticworkflows","safeoutputs"]'
- echo 'GH_AW_MCP_CLI_SERVERS=["agenticworkflows","safeoutputs"]' >> "$GITHUB_ENV"
- MCP_GATEWAY_UID=$(id -u 2>/dev/null || echo '0')
- MCP_GATEWAY_GID=$(id -g 2>/dev/null || echo '0')
- DOCKER_SOCK_GID=$(stat -c '%g' /var/run/docker.sock 2>/dev/null || echo '0')
- export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.0'
-
- mkdir -p /home/runner/.copilot
- GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)
- cat << GH_AW_MCP_CONFIG_7edb75583679fafb_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
- {
- "mcpServers": {
- "agenticworkflows": {
- "type": "stdio",
- "container": "localhost/gh-aw:dev",
- "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"],
- "args": ["--network", "host", "-w", "\${GITHUB_WORKSPACE}"],
- "env": {
- "DEBUG": "*",
- "GITHUB_TOKEN": "\${GITHUB_TOKEN}",
- "GITHUB_ACTOR": "\${GITHUB_ACTOR}",
- "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}"
- },
- "guard-policies": {
- "write-sink": {
- "accept": [
- "*"
- ]
- }
- }
- },
- "github": {
- "type": "stdio",
- "container": "ghcr.io/github/github-mcp-server:v1.0.3",
- "env": {
- "GITHUB_HOST": "\${GITHUB_SERVER_URL}",
- "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
- "GITHUB_READ_ONLY": "1",
- "GITHUB_TOOLSETS": "context,repos,issues,pull_requests,discussions"
- },
- "guard-policies": {
- "allow-only": {
- "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY",
- "repos": "$GITHUB_MCP_GUARD_REPOS"
- }
- }
- },
- "safeoutputs": {
- "type": "http",
- "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT",
- "headers": {
- "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}"
- },
- "guard-policies": {
- "write-sink": {
- "accept": [
- "*"
- ]
- }
- }
- }
- },
- "gateway": {
- "port": $MCP_GATEWAY_PORT,
- "domain": "${MCP_GATEWAY_DOMAIN}",
- "apiKey": "${MCP_GATEWAY_API_KEY}",
- "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}",
- "opentelemetry": {
- "endpoint": "${{ secrets.GH_AW_OTEL_ENDPOINT }}",
- "headers": "${OTEL_EXPORTER_OTLP_HEADERS}",
- "traceId": "${GITHUB_AW_OTEL_TRACE_ID}",
- "spanId": "${GITHUB_AW_OTEL_PARENT_SPAN_ID}"
- }
- }
- }
- GH_AW_MCP_CONFIG_7edb75583679fafb_EOF
- - name: Mount MCP servers as CLIs
- id: mount-mcp-clis
- continue-on-error: true
- env:
- MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
- MCP_GATEWAY_DOMAIN: ${{ steps.start-mcp-gateway.outputs.gateway-domain }}
- MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }}
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/mount_mcp_as_cli.cjs');
- await main();
- - name: Clean git credentials
- continue-on-error: true
- run: bash "${RUNNER_TEMP}/gh-aw/actions/clean_git_credentials.sh"
- - name: Execute GitHub Copilot CLI
- id: agentic_execution
- # Copilot CLI tool arguments (sorted):
- timeout-minutes: 35
- run: |
- set -o pipefail
- touch /tmp/gh-aw/agent-step-summary.md
- GH_AW_NODE_BIN=$(command -v node 2>/dev/null || true)
- export GH_AW_NODE_BIN
- (umask 177 && touch /tmp/gh-aw/agent-stdio.log)
- # shellcheck disable=SC1003
- sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --image-tag 0.25.28,squid=sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474,agent=sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a,api-proxy=sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb,cli-proxy=sha256:fdf310e4678ce58d248c466b89399e9680a3003038fd19322c388559016aaac7 --skip-pull --enable-api-proxy \
- -- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
- env:
- COPILOT_AGENT_RUNNER_TYPE: STANDALONE
- COPILOT_API_KEY: dummy-byok-key-for-offline-mode
- COPILOT_GITHUB_TOKEN: ${{ github.token }}
- COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'claude-sonnet-4.6' }}
- GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg,.svg"
- GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}"
- GH_AW_ASSETS_MAX_SIZE_KB: 10240
- GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
- GH_AW_PHASE: agent
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
- GH_AW_VERSION: dev
- GITHUB_API_URL: ${{ github.api_url }}
- GITHUB_AW: true
- GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
- GITHUB_HEAD_REF: ${{ github.head_ref }}
- GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- GITHUB_REF_NAME: ${{ github.ref_name }}
- GITHUB_SERVER_URL: ${{ github.server_url }}
- GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
- GITHUB_WORKSPACE: ${{ github.workspace }}
- GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
- GIT_AUTHOR_NAME: github-actions[bot]
- GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
- GIT_COMMITTER_NAME: github-actions[bot]
- S2STOKENS: true
- XDG_CONFIG_HOME: /home/runner
- - name: Detect Copilot errors
- id: detect-copilot-errors
- if: always()
- continue-on-error: true
- run: node "${RUNNER_TEMP}/gh-aw/actions/detect_copilot_errors.cjs"
- - name: Configure Git credentials
- env:
- REPO_NAME: ${{ github.repository }}
- SERVER_URL: ${{ github.server_url }}
- GITHUB_TOKEN: ${{ github.token }}
- run: |
- git config --global user.email "github-actions[bot]@users.noreply.github.com"
- git config --global user.name "github-actions[bot]"
- git config --global am.keepcr true
- # Re-authenticate git with GitHub token
- SERVER_URL_STRIPPED="${SERVER_URL#https://}"
- git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
- echo "Git configured with standard GitHub Actions identity"
- - name: Copy Copilot session state files to logs
- if: always()
- continue-on-error: true
- run: bash "${RUNNER_TEMP}/gh-aw/actions/copy_copilot_session_state.sh"
- - name: Stop MCP Gateway
- if: always()
- continue-on-error: true
- env:
- MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }}
- MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }}
- GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }}
- run: |
- bash "${RUNNER_TEMP}/gh-aw/actions/stop_mcp_gateway.sh" "$GATEWAY_PID"
- - name: Redact secrets in logs
- if: always()
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/redact_secrets.cjs');
- await main();
- env:
- GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_OTEL_ENDPOINT,GITHUB_TOKEN'
- SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
- SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
- SECRET_GH_AW_OTEL_ENDPOINT: ${{ secrets.GH_AW_OTEL_ENDPOINT }}
- SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- - name: Append agent step summary
- if: always()
- run: bash "${RUNNER_TEMP}/gh-aw/actions/append_agent_step_summary.sh"
- - name: Copy Safe Outputs
- if: always()
- env:
- GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
- run: |
- mkdir -p /tmp/gh-aw
- cp "$GH_AW_SAFE_OUTPUTS" /tmp/gh-aw/safeoutputs.jsonl 2>/dev/null || true
- - name: Ingest agent output
- id: collect_output
- if: always()
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
- GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com"
- GH_AW_ALLOWED_GITHUB_REFS: ""
- GITHUB_SERVER_URL: ${{ github.server_url }}
- GITHUB_API_URL: ${{ github.api_url }}
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/collect_ndjson_output.cjs');
- await main();
- - name: Parse agent logs for step summary
- if: always()
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_copilot_log.cjs');
- await main();
- - name: Parse MCP Gateway logs for step summary
- if: always()
- id: parse-mcp-gateway
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_mcp_gateway_log.cjs');
- await main();
- - name: Print firewall logs
- if: always()
- continue-on-error: true
- env:
- AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
- run: |
- # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts
- # AWF runs with sudo, creating files owned by root
- sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true
- # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
- if command -v awf &> /dev/null; then
- awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"
- else
- echo 'AWF binary not installed, skipping firewall log summary'
- fi
- - name: Parse token usage for step summary
- if: always()
- continue-on-error: true
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_token_usage.cjs');
- await main();
- - name: Generate observability summary
- if: always()
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_observability_summary.cjs');
- await main(core);
- - name: Write agent output placeholder if missing
- if: always()
- run: |
- if [ ! -f /tmp/gh-aw/agent_output.json ]; then
- echo '{"items":[]}' > /tmp/gh-aw/agent_output.json
- fi
- # Upload repo memory as artifacts for push job
- - name: Upload repo-memory artifact (default)
- if: always()
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- with:
- name: repo-memory-default
- path: /tmp/gh-aw/repo-memory/default
- retention-days: 1
- if-no-files-found: ignore
- - name: Commit cache-memory changes
- if: always()
- env:
- GH_AW_CACHE_DIR: /tmp/gh-aw/cache-memory
- run: bash "${RUNNER_TEMP}/gh-aw/actions/commit_cache_memory_git.sh"
- - name: Upload cache-memory data as artifact
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- if: always()
- with:
- name: cache-memory
- path: /tmp/gh-aw/cache-memory
- # Upload safe-outputs assets for upload_assets job
- - name: Upload Safe Outputs Assets
- if: always()
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- with:
- name: safe-outputs-assets
- path: /tmp/gh-aw/safeoutputs/assets/
- retention-days: 1
- if-no-files-found: ignore
- - name: Upload agent artifacts
- if: always()
- continue-on-error: true
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- with:
- name: agent
- path: |
- /tmp/gh-aw/aw-prompts/prompt.txt
- /tmp/gh-aw/sandbox/agent/logs/
- /tmp/gh-aw/redacted-urls.log
- /tmp/gh-aw/mcp-logs/
- /tmp/gh-aw/agent_usage.json
- /tmp/gh-aw/agent-stdio.log
- /tmp/gh-aw/agent/
- /tmp/gh-aw/github_rate_limits.jsonl
- /tmp/gh-aw/otel.jsonl
- /tmp/gh-aw/safeoutputs.jsonl
- /tmp/gh-aw/agent_output.json
- /tmp/gh-aw/aw-*.patch
- /tmp/gh-aw/aw-*.bundle
- /tmp/gh-aw/sandbox/firewall/logs/
- /tmp/gh-aw/sandbox/firewall/audit/
- if-no-files-found: ignore
-
- conclusion:
- needs:
- - activation
- - agent
- - detection
- - push_repo_memory
- - safe_outputs
- - update_cache_memory
- - upload_assets
- if: >
- always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true' ||
- needs.activation.outputs.stale_lock_file_failed == 'true')
- runs-on: ubuntu-slim
- permissions:
- contents: read
- discussions: write
- issues: write
- concurrency:
- group: "gh-aw-conclusion-agentic-optimization-kit"
- cancel-in-progress: false
- outputs:
- incomplete_count: ${{ steps.report_incomplete.outputs.incomplete_count }}
- noop_message: ${{ steps.noop.outputs.noop_message }}
- tools_reported: ${{ steps.missing_tool.outputs.tools_reported }}
- total_count: ${{ steps.missing_tool.outputs.total_count }}
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- trace-id: ${{ needs.activation.outputs.setup-trace-id }}
- - name: Download agent output artifact
- id: download-agent-output
- continue-on-error: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- with:
- name: agent
- path: /tmp/gh-aw/
- - name: Setup agent output environment variable
- id: setup-agent-output-env
- if: steps.download-agent-output.outcome == 'success'
- run: |
- mkdir -p /tmp/gh-aw/
- find "/tmp/gh-aw/" -type f -print
- echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
- - name: Process no-op messages
- id: noop
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
- GH_AW_NOOP_MAX: "1"
- GH_AW_WORKFLOW_NAME: "Agentic Optimization Kit"
- GH_AW_TRACKER_ID: "agentic-optimization-kit"
- GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
- GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
- GH_AW_NOOP_REPORT_AS_ISSUE: "false"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs');
- await main();
- - name: Log detection run
- id: detection_runs
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
- GH_AW_WORKFLOW_NAME: "Agentic Optimization Kit"
- GH_AW_TRACKER_ID: "agentic-optimization-kit"
- GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
- GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
- GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_detection_runs.cjs');
- await main();
- - name: Record missing tool
- id: missing_tool
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
- GH_AW_MISSING_TOOL_CREATE_ISSUE: "true"
- GH_AW_WORKFLOW_NAME: "Agentic Optimization Kit"
- GH_AW_TRACKER_ID: "agentic-optimization-kit"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/missing_tool.cjs');
- await main();
- - name: Record incomplete
- id: report_incomplete
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
- GH_AW_REPORT_INCOMPLETE_CREATE_ISSUE: "true"
- GH_AW_WORKFLOW_NAME: "Agentic Optimization Kit"
- GH_AW_TRACKER_ID: "agentic-optimization-kit"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/report_incomplete_handler.cjs');
- await main();
- - name: Handle agent failure
- id: handle_agent_failure
- if: always()
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
- GH_AW_WORKFLOW_NAME: "Agentic Optimization Kit"
- GH_AW_TRACKER_ID: "agentic-optimization-kit"
- GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
- GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
- GH_AW_WORKFLOW_ID: "agentic-optimization-kit"
- GH_AW_ACTION_FAILURE_ISSUE_EXPIRES_HOURS: "12"
- GH_AW_ENGINE_ID: "copilot"
- GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
- GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }}
- GH_AW_MCP_POLICY_ERROR: ${{ needs.agent.outputs.mcp_policy_error }}
- GH_AW_AGENTIC_ENGINE_TIMEOUT: ${{ needs.agent.outputs.agentic_engine_timeout }}
- GH_AW_MODEL_NOT_SUPPORTED_ERROR: ${{ needs.agent.outputs.model_not_supported_error }}
- GH_AW_ENGINE_API_HOSTS: "api.enterprise.githubcopilot.com,api.githubcopilot.com,api.business.githubcopilot.com,api.individual.githubcopilot.com"
- GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }}
- GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }}
- GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }}
- GH_AW_STALE_LOCK_FILE_FAILED: ${{ needs.activation.outputs.stale_lock_file_failed }}
- GH_AW_PUSH_REPO_MEMORY_RESULT: ${{ needs.push_repo_memory.result }}
- GH_AW_REPO_MEMORY_VALIDATION_FAILED_default: ${{ needs.push_repo_memory.outputs.validation_failed_default }}
- GH_AW_REPO_MEMORY_VALIDATION_ERROR_default: ${{ needs.push_repo_memory.outputs.validation_error_default }}
- GH_AW_REPO_MEMORY_PATCH_SIZE_EXCEEDED_default: ${{ needs.push_repo_memory.outputs.patch_size_exceeded_default }}
- GH_AW_GROUP_REPORTS: "false"
- GH_AW_FAILURE_REPORT_AS_ISSUE: "true"
- GH_AW_TIMEOUT_MINUTES: "35"
- GH_AW_CACHE_MEMORY_ENABLED: "true"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_agent_failure.cjs');
- await main();
-
- detection:
- needs:
- - activation
- - agent
- if: >
- always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true')
- runs-on: ubuntu-latest
- permissions:
- contents: read
- copilot-requests: write
- outputs:
- detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
- detection_reason: ${{ steps.detection_conclusion.outputs.reason }}
- detection_success: ${{ steps.detection_conclusion.outputs.success }}
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- trace-id: ${{ needs.activation.outputs.setup-trace-id }}
- - name: Download agent output artifact
- id: download-agent-output
- continue-on-error: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- with:
- name: agent
- path: /tmp/gh-aw/
- - name: Setup agent output environment variable
- id: setup-agent-output-env
- if: steps.download-agent-output.outcome == 'success'
- run: |
- mkdir -p /tmp/gh-aw/
- find "/tmp/gh-aw/" -type f -print
- echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
- - name: Checkout repository for patch context
- if: needs.agent.outputs.has_patch == 'true'
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- persist-credentials: false
- # --- Threat Detection ---
- - name: Clean stale firewall files from agent artifact
- run: |
- rm -rf /tmp/gh-aw/sandbox/firewall/logs
- rm -rf /tmp/gh-aw/sandbox/firewall/audit
- - name: Download container images
- run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474
- - name: Check if detection needed
- id: detection_guard
- if: always()
- env:
- OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }}
- HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
- run: |
- if [[ -n "$OUTPUT_TYPES" || "$HAS_PATCH" == "true" ]]; then
- echo "run_detection=true" >> "$GITHUB_OUTPUT"
- echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH"
- else
- echo "run_detection=false" >> "$GITHUB_OUTPUT"
- echo "Detection skipped: no agent outputs or patches to analyze"
- fi
- - name: Clear MCP Config for detection
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- run: |
- rm -f "${RUNNER_TEMP}/gh-aw/mcp-config/mcp-servers.json"
- rm -f /home/runner/.copilot/mcp-config.json
- rm -f "$GITHUB_WORKSPACE/.gemini/settings.json"
- - name: Prepare threat detection files
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- run: |
- mkdir -p /tmp/gh-aw/threat-detection/aw-prompts
- cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true
- cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null || true
- for f in /tmp/gh-aw/aw-*.patch; do
- [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
- done
- for f in /tmp/gh-aw/aw-*.bundle; do
- [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
- done
- echo "Prepared threat detection files:"
- ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true
- - name: Setup threat detection
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- WORKFLOW_NAME: "Agentic Optimization Kit"
- WORKFLOW_DESCRIPTION: "Weekly consolidated kit combining token audit, optimization targeting, and agentic observability into one actionable report with prompt artifacts"
- HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/setup_threat_detection.cjs');
- await main();
- - name: Ensure threat-detection directory and log
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- run: |
- mkdir -p /tmp/gh-aw/threat-detection
- touch /tmp/gh-aw/threat-detection/detection.log
- - name: Setup Node.js
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
- with:
- node-version: '24'
- package-manager-cache: false
- - name: Install GitHub Copilot CLI
- run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.36
- env:
- GH_HOST: github.com
- - name: Install AWF binary
- run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.28
- - name: Execute GitHub Copilot CLI
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- id: detection_agentic_execution
- # Copilot CLI tool arguments (sorted):
- timeout-minutes: 20
- run: |
- set -o pipefail
- touch /tmp/gh-aw/agent-step-summary.md
- GH_AW_NODE_BIN=$(command -v node 2>/dev/null || true)
- export GH_AW_NODE_BIN
- (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log)
- # shellcheck disable=SC1003
- sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,telemetry.enterprise.githubcopilot.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --image-tag 0.25.28,squid=sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474,agent=sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a,api-proxy=sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb,cli-proxy=sha256:fdf310e4678ce58d248c466b89399e9680a3003038fd19322c388559016aaac7 --skip-pull --enable-api-proxy \
- -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
- env:
- COPILOT_AGENT_RUNNER_TYPE: STANDALONE
- COPILOT_API_KEY: dummy-byok-key-for-offline-mode
- COPILOT_GITHUB_TOKEN: ${{ github.token }}
- COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || 'claude-sonnet-4.6' }}
- GH_AW_PHASE: detection
- GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
- GH_AW_VERSION: dev
- GITHUB_API_URL: ${{ github.api_url }}
- GITHUB_AW: true
- GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
- GITHUB_HEAD_REF: ${{ github.head_ref }}
- GITHUB_REF_NAME: ${{ github.ref_name }}
- GITHUB_SERVER_URL: ${{ github.server_url }}
- GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
- GITHUB_WORKSPACE: ${{ github.workspace }}
- GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
- GIT_AUTHOR_NAME: github-actions[bot]
- GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
- GIT_COMMITTER_NAME: github-actions[bot]
- S2STOKENS: true
- XDG_CONFIG_HOME: /home/runner
- - name: Upload threat detection log
- if: always() && steps.detection_guard.outputs.run_detection == 'true'
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- with:
- name: detection
- path: /tmp/gh-aw/threat-detection/detection.log
- if-no-files-found: ignore
- - name: Parse and conclude threat detection
- id: detection_conclusion
- if: always()
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }}
- GH_AW_DETECTION_CONTINUE_ON_ERROR: "true"
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_threat_detection_results.cjs');
- await main();
-
- push_repo_memory:
- needs:
- - activation
- - agent
- - detection
- if: >
- always() && (!cancelled()) && (needs.detection.result == 'success' || needs.detection.result == 'skipped') &&
- needs.agent.result == 'success'
- runs-on: ubuntu-slim
- permissions:
- contents: write
- concurrency:
- group: "push-repo-memory-${{ github.repository }}|memory/token-audit"
- cancel-in-progress: false
- outputs:
- patch_size_exceeded_default: ${{ steps.push_repo_memory_default.outputs.patch_size_exceeded }}
- validation_error_default: ${{ steps.push_repo_memory_default.outputs.validation_error }}
- validation_failed_default: ${{ steps.push_repo_memory_default.outputs.validation_failed }}
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- trace-id: ${{ needs.activation.outputs.setup-trace-id }}
- - name: Checkout repository
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- persist-credentials: false
- sparse-checkout: .
- - name: Configure Git credentials
- env:
- REPO_NAME: ${{ github.repository }}
- SERVER_URL: ${{ github.server_url }}
- GITHUB_TOKEN: ${{ github.token }}
- run: |
- git config --global user.email "github-actions[bot]@users.noreply.github.com"
- git config --global user.name "github-actions[bot]"
- git config --global am.keepcr true
- # Re-authenticate git with GitHub token
- SERVER_URL_STRIPPED="${SERVER_URL#https://}"
- git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
- echo "Git configured with standard GitHub Actions identity"
- - name: Download repo-memory artifact (default)
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- continue-on-error: true
- with:
- name: repo-memory-default
- path: /tmp/gh-aw/repo-memory/default
- - name: Push repo-memory changes (default)
- id: push_repo_memory_default
- if: always()
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_TOKEN: ${{ github.token }}
- GITHUB_RUN_ID: ${{ github.run_id }}
- GITHUB_SERVER_URL: ${{ github.server_url }}
- ARTIFACT_DIR: /tmp/gh-aw/repo-memory/default
- MEMORY_ID: default
- TARGET_REPO: ${{ github.repository }}
- BRANCH_NAME: memory/token-audit
- MAX_FILE_SIZE: 102400
- MAX_FILE_COUNT: 100
- MAX_PATCH_SIZE: 51200
- ALLOWED_EXTENSIONS: '[]'
- FILE_GLOB_FILTER: "*.json *.jsonl *.csv *.md"
- with:
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs');
- await main();
- - name: Restore actions folder
- if: always()
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions/setup
- sparse-checkout-cone-mode: true
- persist-credentials: false
-
- safe_outputs:
- needs:
- - activation
- - agent
- - detection
- if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
- runs-on: ubuntu-slim
- permissions:
- contents: read
- discussions: write
- issues: write
- concurrency:
- group: "agentic-optimization-kit-safe-outputs"
- cancel-in-progress: false
- timeout-minutes: 15
- env:
- GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/agentic-optimization-kit"
- GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
- GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
- GH_AW_EFFECTIVE_TOKENS: ${{ needs.agent.outputs.effective_tokens }}
- GH_AW_ENGINE_ID: "copilot"
- GH_AW_ENGINE_MODEL: ${{ needs.agent.outputs.model }}
- GH_AW_ENGINE_VERSION: "1.0.36"
- GH_AW_TRACKER_ID: "agentic-optimization-kit"
- GH_AW_WORKFLOW_ID: "agentic-optimization-kit"
- GH_AW_WORKFLOW_NAME: "Agentic Optimization Kit"
- outputs:
- code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
- code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
- create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }}
- create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }}
- created_issue_number: ${{ steps.process_safe_outputs.outputs.created_issue_number }}
- created_issue_url: ${{ steps.process_safe_outputs.outputs.created_issue_url }}
- process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }}
- process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- trace-id: ${{ needs.activation.outputs.setup-trace-id }}
- - name: Mask OTLP telemetry headers
- run: bash "${RUNNER_TEMP}/gh-aw/actions/mask_otlp_headers.sh"
- - name: Download agent output artifact
- id: download-agent-output
- continue-on-error: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- with:
- name: agent
- path: /tmp/gh-aw/
- - name: Setup agent output environment variable
- id: setup-agent-output-env
- if: steps.download-agent-output.outcome == 'success'
- run: |
- mkdir -p /tmp/gh-aw/
- find "/tmp/gh-aw/" -type f -print
- echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
- - name: Configure GH_HOST for enterprise compatibility
- id: ghes-host-config
- shell: bash
- run: |
- # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
- # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
- GH_HOST="${GITHUB_SERVER_URL#https://}"
- GH_HOST="${GH_HOST#http://}"
- echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
- - name: Process Safe Outputs
- id: process_safe_outputs
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
- GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com"
- GITHUB_SERVER_URL: ${{ github.server_url }}
- GITHUB_API_URL: ${{ github.api_url }}
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_discussion\":{\"category\":\"audits\",\"close_older_discussions\":true,\"expires\":168,\"fallback_to_issue\":true,\"max\":1,\"title_prefix\":\"[agentic-optimization-kit] \"},\"create_issue\":{\"close_older_issues\":true,\"labels\":[\"agentics\",\"warning\",\"observability\"],\"max\":1,\"title_prefix\":\"[agentic-optimization escalation] \"},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"false\"},\"report_incomplete\":{},\"upload_asset\":{\"allowed-exts\":[\".png\",\".jpg\",\".jpeg\",\".svg\"],\"branch\":\"assets/${{ github.workflow }}\",\"max\":5,\"max-size\":10240}}"
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/safe_output_handler_manager.cjs');
- await main();
- - name: Upload Safe Outputs Items
- if: always()
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- with:
- name: safe-outputs-items
- path: |
- /tmp/gh-aw/safe-output-items.jsonl
- /tmp/gh-aw/temporary-id-map.json
- if-no-files-found: ignore
-
- update_cache_memory:
- needs:
- - activation
- - agent
- - detection
- if: >
- always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') &&
- needs.agent.result == 'success'
- runs-on: ubuntu-slim
- permissions:
- contents: read
- env:
- GH_AW_WORKFLOW_ID_SANITIZED: agenticoptimizationkit
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- trace-id: ${{ needs.activation.outputs.setup-trace-id }}
- - name: Download cache-memory artifact (default)
- id: download_cache_default
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- continue-on-error: true
- with:
- name: cache-memory
- path: /tmp/gh-aw/cache-memory
- - name: Check if cache-memory folder has content (default)
- id: check_cache_default
- shell: bash
- run: |
- if [ -d "/tmp/gh-aw/cache-memory" ] && [ "$(ls -A /tmp/gh-aw/cache-memory 2>/dev/null)" ]; then
- echo "has_content=true" >> "$GITHUB_OUTPUT"
- else
- echo "has_content=false" >> "$GITHUB_OUTPUT"
- fi
- - name: Save cache-memory to cache (default)
- if: steps.check_cache_default.outputs.has_content == 'true'
- uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- with:
- key: memory-none-nopolicy-trending-data-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
- path: /tmp/gh-aw/cache-memory
-
- upload_assets:
- needs:
- - activation
- - agent
- if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset')
- runs-on: ubuntu-slim
- permissions:
- contents: write
- timeout-minutes: 10
- outputs:
- branch_name: ${{ steps.upload_assets.outputs.branch_name }}
- published_count: ${{ steps.upload_assets.outputs.published_count }}
- steps:
- - name: Checkout actions folder
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions
- persist-credentials: false
- - name: Setup Scripts
- id: setup
- uses: ./actions/setup
- with:
- destination: ${{ runner.temp }}/gh-aw/actions
- job-name: ${{ github.job }}
- trace-id: ${{ needs.activation.outputs.setup-trace-id }}
- - name: Checkout repository
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- persist-credentials: false
- fetch-depth: 0
- - name: Configure Git credentials
- env:
- REPO_NAME: ${{ github.repository }}
- SERVER_URL: ${{ github.server_url }}
- GITHUB_TOKEN: ${{ github.token }}
- run: |
- git config --global user.email "github-actions[bot]@users.noreply.github.com"
- git config --global user.name "github-actions[bot]"
- git config --global am.keepcr true
- # Re-authenticate git with GitHub token
- SERVER_URL_STRIPPED="${SERVER_URL#https://}"
- git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git"
- echo "Git configured with standard GitHub Actions identity"
- - name: Download assets
- continue-on-error: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- with:
- name: safe-outputs-assets
- path: /tmp/gh-aw/safeoutputs/assets/
- - name: List downloaded asset files
- continue-on-error: true
- run: |
- echo "Downloaded asset files:"
- find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls
- - name: Download agent output artifact
- id: download-agent-output
- continue-on-error: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- with:
- name: agent
- path: /tmp/gh-aw/
- - name: Setup agent output environment variable
- id: setup-agent-output-env
- if: steps.download-agent-output.outcome == 'success'
- run: |
- mkdir -p /tmp/gh-aw/
- find "/tmp/gh-aw/" -type f -print
- echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
- - name: Push assets
- id: upload_assets
- uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
- env:
- GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
- GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}"
- GH_AW_ASSETS_MAX_SIZE_KB: 10240
- GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg,.svg"
- GH_AW_WORKFLOW_NAME: "Agentic Optimization Kit"
- GH_AW_TRACKER_ID: "agentic-optimization-kit"
- GH_AW_ENGINE_ID: "copilot"
- GH_AW_ENGINE_VERSION: "1.0.36"
- GH_AW_ENGINE_MODEL: ${{ needs.agent.outputs.model }}
- with:
- github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- script: |
- const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
- setupGlobals(core, github, context, exec, io, getOctokit);
- const { main } = require('${{ runner.temp }}/gh-aw/actions/upload_assets.cjs');
- await main();
- - name: Restore actions folder
- if: always()
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- repository: github/gh-aw
- sparse-checkout: |
- actions/setup
- sparse-checkout-cone-mode: true
- persist-credentials: false
-
diff --git a/.github/workflows/agentic-optimization-kit.md b/.github/workflows/agentic-optimization-kit.md
deleted file mode 100644
index 79f0b5f4b58..00000000000
--- a/.github/workflows/agentic-optimization-kit.md
+++ /dev/null
@@ -1,433 +0,0 @@
----
-description: Weekly consolidated kit combining token audit, optimization targeting, and agentic observability into one actionable report with prompt artifacts
-on:
- schedule: weekly on monday
- workflow_dispatch:
-permissions:
- contents: read
- actions: read
- issues: read
- pull-requests: read
- discussions: read
-tracker-id: agentic-optimization-kit
-engine: copilot
-strict: true
-tools:
- cli-proxy: true
- agentic-workflows:
- github:
- toolsets: [default, discussions]
- bash:
- - "*"
-safe-outputs:
- mentions: false
- allowed-github-references: []
- concurrency-group: "agentic-optimization-kit-safe-outputs"
- create-issue:
- title-prefix: "[agentic-optimization escalation] "
- labels: [agentics, warning, observability]
- close-older-issues: true
- max: 1
- noop:
- report-as-issue: false
-timeout-minutes: 35
-imports:
- - uses: shared/daily-audit-charts.md
- with:
- title-prefix: "[agentic-optimization-kit] "
- expires: 7d
- - uses: shared/repo-memory-standard.md
- with:
- branch-name: "memory/token-audit"
- description: "Historical daily Copilot token usage snapshots (shared with copilot-token-audit)"
- max-patch-size: 51200
- - copilot-setup-steps.yml
- - uses: shared/mcp/gh-aw.md
-features:
- copilot-requests: true
-steps:
- - name: Download Copilot workflow logs
- env:
- GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: |
- set -euo pipefail
- mkdir -p /tmp/gh-aw/token-audit
-
- echo "π₯ Downloading Copilot workflow logs (last 7 days, up to 500 runs)..."
-
- LOGS_EXIT=0
- gh aw logs \
- --engine copilot \
- --start-date -7d \
- --json \
- -c 500 \
- > /tmp/gh-aw/token-audit/all-runs.json || LOGS_EXIT=$?
-
- if [ -s /tmp/gh-aw/token-audit/all-runs.json ]; then
- TOTAL=$(jq '.runs | length' /tmp/gh-aw/token-audit/all-runs.json)
- echo "β
Downloaded $TOTAL Copilot workflow runs"
- if [ "$LOGS_EXIT" -ne 0 ]; then
- echo "β οΈ gh aw logs exited with code $LOGS_EXIT (partial results β likely API rate limit)"
- fi
- else
- echo "β No log data downloaded (exit code $LOGS_EXIT)"
- echo '{"runs":[],"summary":{}}' > /tmp/gh-aw/token-audit/all-runs.json
- fi
-
- - name: Pre-aggregate top workflows by token usage
- run: |
- set -euo pipefail
- mkdir -p /tmp/gh-aw/token-audit
-
- jq '{
- generated_at: (now | todateiso8601),
- window_days: 7,
- top_workflows: (
- [.runs[]
- | select(.status == "completed")
- | {
- workflow_name: .workflow_name,
- tokens: (.token_usage // 0),
- effective_tokens: (.effective_tokens // 0),
- cost: (.estimated_cost // 0),
- turns: (.turns // 0),
- action_minutes: (.action_minutes // 0),
- error_count: (.error_count // 0),
- warning_count: (.warning_count // 0)
- }
- ]
- | sort_by(.workflow_name)
- | group_by(.workflow_name)
- | map({
- workflow_name: .[0].workflow_name,
- run_count: length,
- total_tokens: (map(.tokens) | add // 0),
- avg_tokens: ((map(.tokens) | add // 0) / length),
- total_effective_tokens: (map(.effective_tokens) | add // 0),
- total_cost: (map(.cost) | add // 0),
- avg_cost: ((map(.cost) | add // 0) / length),
- total_turns: (map(.turns) | add // 0),
- avg_turns: ((map(.turns) | add // 0) / length),
- total_action_minutes: (map(.action_minutes) | add // 0),
- total_errors: (map(.error_count) | add // 0),
- total_warnings: (map(.warning_count) | add // 0)
- })
- | sort_by(.total_tokens)
- | reverse
- | .[:10]
- )
- }' /tmp/gh-aw/token-audit/all-runs.json > /tmp/gh-aw/token-audit/top-workflows.json
-
- echo "β
Pre-aggregated top workflows"
- jq '.top_workflows[] | "\(.workflow_name): \(.total_tokens) tokens"' -r /tmp/gh-aw/token-audit/top-workflows.json
-
- - name: Load optimization history from repo-memory
- run: |
- set -euo pipefail
-
- OPT_LOG="/tmp/gh-aw/repo-memory/default/optimization-log.json"
- ROLLING="/tmp/gh-aw/repo-memory/default/rolling-summary.json"
-
- if [ -f "$OPT_LOG" ]; then
- echo "β
Previous optimizations:"
- jq -r '.[] | "\(.date): \(.workflow_name)"' "$OPT_LOG" | tail -10
- else
- echo "βΉοΈ No previous optimization history found."
- fi
-
- if [ -f "$ROLLING" ]; then
- echo "β
Rolling summary entries: $(jq 'length' "$ROLLING")"
- else
- echo "βΉοΈ No rolling summary found."
- fi
----
-
-{{#runtime-import? .github/shared-instructions.md}}
-
-# Agentic Optimization Kit
-
-You are the Agentic Optimization Kit β a weekly unified analyst that consolidates token auditing, optimization targeting, and agentic observability into one executive report with actionable prompt artifacts.
-
-## Priority Ordering
-
-Follow these three layers in order, each feeding the next:
-
-1. **Baseline Layer** (Audit): raw token/cost/turn/action-minute facts from the pre-downloaded 7-day run data.
-2. **Optimization Layer**: select one high-ROI target, audit its runs deeply, produce ranked recommendations.
-3. **Observability Layer**: episode-level DAG analysis, control/risk signals, portfolio map, domain-aware interpretation.
-
-Source-of-truth precedence: Episodes override workflow-level aggregates. Optimization action recommendations override generic observations. Baseline numbers are canonical for cost and token counts.
-
-## Data Inputs
-
-- `/tmp/gh-aw/token-audit/all-runs.json` β full 7-day run data (`gh aw logs --json`)
-- `/tmp/gh-aw/token-audit/top-workflows.json` β pre-aggregated top 10 workflows by total tokens
-- `/tmp/gh-aw/repo-memory/default/YYYY-MM-DD.json` β prior daily audit snapshots (if any)
-- `/tmp/gh-aw/repo-memory/default/rolling-summary.json` β 90-day trend history (if any)
-- `/tmp/gh-aw/repo-memory/default/optimization-log.json` β prior optimization targets and cooldown log
-
-Treat missing numeric fields (`token_usage`, `estimated_cost`, `turns`, `action_minutes`) as `0`.
-
-## Phase 1 β Baseline Audit
-
-Write and run `/tmp/gh-aw/python/process_baseline.py`. The script must:
-
-1. Load `/tmp/gh-aw/token-audit/all-runs.json` and filter to `status == "completed"` runs.
-2. Group by `workflow_name` and compute per-workflow:
- - `run_count`, `total_tokens`, `avg_tokens`, `total_effective_tokens`, `total_cost`, `avg_cost`, `total_turns`, `avg_turns`, `total_action_minutes`, `error_count`, `warning_count`
-3. Compute overall summary: total runs, total tokens, total cost, total action minutes.
-4. Sort workflows descending by `total_tokens`.
-5. Flag heavy-hitters using these thresholds (chosen so that a single workflow exceeding them warrants immediate review):
- - `is_dominant` β workflow accounts for >30% of total tokens (a single workflow owning >30% concentrates systemic risk)
- - `is_expensive_per_run` β avg tokens/run > 100,000 (above 100k/run a single bad prompt is the primary cost lever)
- - `is_noisy` β error_count + warning_count > run_count * 0.5 (more than 1 incident per 2 runs signals reliability waste)
-6. Save snapshot to `/tmp/gh-aw/python/data/baseline_snapshot.json` with today's UTC date.
-7. Copy snapshot to `/tmp/gh-aw/repo-memory/default/YYYY-MM-DD.json` (today's date).
-8. Load `/tmp/gh-aw/repo-memory/default/rolling-summary.json` (or start empty list), append today's overall totals entry `{date, total_tokens, total_cost, total_runs, total_action_minutes}`, trim to last 90 entries, and save back.
-
-## Phase 2 β Optimization Target Selection and Analysis
-
-### Select Target
-
-Starting from `top-workflows.json`:
-
-- Exclude workflows optimized in the last 14 days (check `optimization-log.json`).
-- Exclude workflows with "Token" or "Optimization" in the name to avoid self-targeting.
-- Choose the workflow with the highest `total_tokens` among those remaining.
-- If no candidates remain after exclusion, pick the highest-token workflow that is NOT this workflow itself.
-
-Collect run-level data for the selected target from `all-runs.json`.
-
-### Analyze Target
-
-| Area | Required checks | Output |
-|---|---|---|
-| Tool usage | Compare tools configured in the workflow source (read via `gh` CLI) vs observed usage across β₯5 runs (minimum sample before removal recommendations) | Keep / Consider removing / Remove |
-| Token efficiency | Evaluate total_tokens, effective_tokens, cache hit rate, turns per successful run | Top token waste drivers |
-| Reliability | Repeated errors, warnings, retries, missing-tool patterns | Token waste from failures |
-| Prompt efficiency | Redundant instructions, overlong sections, avoidable iteration loops | Prompt reduction opportunities |
-
-Rules:
-- Require β₯5 observed runs as the minimum sample before any tool-removal recommendation; fewer runs carry too much variance to justify removal.
-- Never recommend removing a tool used in any successful run without strong contrary evidence.
-- Prioritize highest expected savings first.
-
-### Read Workflow Source
-
-Use `gh` CLI via cli-proxy to read the target workflow `.md` source. Validate configured tools, feature flags, imported shared components, prompt structure, and network constraints.
-
-### Build Optimization Recommendations
-
-Produce a ranked list of β€5 recommendations, each with:
-- Title
-- Estimated token savings per run
-- Concrete action
-- Evidence from observed runs
-
-### Update Optimization Log
-
-Append one entry to `/tmp/gh-aw/repo-memory/default/optimization-log.json`:
-`{"date":"2026-04-28","workflow_name":"daily-observability-report","total_tokens_analyzed":950000,"runs_audited":7,"recommendations_count":3,"estimated_savings_per_run":12000}`
-
-Replace the example date, workflow name, and numbers with actual values from this run.
-
-Load existing array if present, append, keep only last 30 entries, and save.
-
-## Phase 3 β Episode and Observability Analysis
-
-Use the `agentic-workflows` MCP `logs` tool to get the full 30-day run set with episodes:
-- Leave `workflow_name` empty (analyze full repository).
-- Use `count` of 400 to cover the repository.
-- Extract `episodes[]`, `edges[]`, `agentic_assessments[]`, `behavior_fingerprint`, `task_domain`, and `comparison` fields.
-
-Build three DataFrames for charting (Phase 4):
-
-**episodes_df** β one row per episode from `episodes[]`:
-- `episode_id`, `primary_workflow`, `total_tokens`, `total_estimated_cost`, `total_runs`
-- Derived: `episode_risk_score` = `1.0 * risky_node_count + 1.2 * poor_control_node_count + 1.2 * mcp_failure_count + 1.0 * blocked_request_count + 1.4 * new_mcp_failure_run_count + 1.4 * blocked_request_increase_run_count + 2.0 * escalation_eligible (boolβint)`
- - Weights reflect escalation severity: control degradation (1.2) and trend signals (1.4) outweigh raw counts (1.0); `escalation_eligible` (2.0) gets a boost because it already aggregates multiple threshold crossings.
-
-**runs_df** β one row per run from `.runs[]` with all signal fields.
-
-**workflow_df** β group `runs_df` by `workflow_name`:
-- Compute `successful_runs`, `risky_run_rate`, `poor_control_rate`, `resource_heavy_rate`, `latest_success_fallback_rate`, `blocked_request_rate`, `mcp_failure_rate`
-- Derived: `workflow_instability_score` = `0.25*normalize(risky_run_rate) + 0.20*normalize(poor_control_rate) + 0.20*normalize(resource_heavy_rate) + 0.15*normalize(latest_success_fallback_rate) + 0.10*normalize(blocked_request_rate) + 0.10*normalize(mcp_failure_rate)`
- - Normalization: min-max per column so each term is in [0, 1]. Weights sum to 1.0. `risky_run_rate` leads (0.25) as the broadest risk signal; control and resource signals share the next tier (0.20 each); fallback and incidence signals trail (0.15, 0.10, 0.10) because they may reflect benign behavior.
-- Derived: `workflow_value_proxy` = `0.35*normalize(successful_runs) + 0.25*(1-normalize(workflow_instability_score)) + 0.20*normalize(repeat_use_score) + 0.20*(1-normalize(overkill_signal_rate))`
- - Weights sum to 1.0. Recent successful usage (0.35) is the strongest value signal; stability contributes 0.25; repeat invocations (0.20) and absence of overkill signals (0.20) capture ROI and right-sizing.
-- Dominant recommendation bucket: `keep` / `optimize` / `simplify` / `review`
-
-Apply domain-aware interpretation:
-- `triage`, `repo_maintenance`, `issue_response`: penalize broad tool use and overkill more heavily.
-- `research`: tolerate tool breadth; flag `partially_reducible` only when repeated.
-- `code_fix`: judge cost together with stability and actuation quality.
-- `release_ops`: prioritize reliability over raw cost.
-- `delegated_automation`: use episode-level reading; do not penalize a worker for episode-level cost without checking the enclosing DAG.
-
-### Portfolio Analysis
-
-Identify:
-- Workflows appearing `overkill_for_agentic` across multiple runs.
-- Stale workflows (low recent run count, low success rate).
-- Overlap pairs: workflows with similar task domain + schedule + behavioral fingerprint.
-
-Compute `workflow_overlap_score(a,b)` = `0.30 * same_task_domain + 0.25 * same_schedule_family + 0.20 * same_behavior_cluster + 0.15 * name_similarity + 0.10 * assessment_similarity`.
-- `same_task_domain`, `same_schedule_family`, `same_behavior_cluster` are boolean (0 or 1); `name_similarity` and `assessment_similarity` are continuous in [0, 1] (Jaccard or cosine similarity). Result is in [0, 1]; values β₯0.55 are strong consolidation candidates.
-
-## Phase 4 β Generate 5 Charts
-
-Write and run `/tmp/gh-aw/python/agentic_optimization_plots.py` using the DataFrames from Phases 1 and 3. Generate exactly 5 charts at 300 DPI (publication quality for inline GitHub rendering), 12Γ7 inches (optimal for widescreen reading), seaborn whitegrid style. Save to `/tmp/gh-aw/python/charts/`, then upload each with `upload_asset` and record the returned URLs.
-
-1. **Token Usage by Workflow** β horizontal bar, top 15 workflows by `total_tokens` from Phase 1 baseline. Color bars by `is_dominant` / `is_expensive_per_run` / `is_noisy` flags. Save to `chart_token_bar.png`.
-
-2. **Historical Token Trend** β line chart of daily `total_tokens` and `total_cost` from `rolling-summary.json`. Skip or simplify if fewer than 2 data points. Save to `chart_trend.png`.
-
-3. **Episode RiskβCost Frontier** β scatter/bubble from `episodes_df`. x-axis: `total_estimated_cost`, y-axis: `episode_risk_score`, point size: `total_runs`, color: `primary_workflow`. Annotate top Pareto-frontier outliers. Save to `chart_episode_frontier.png`.
-
-4. **Workflow Stability Matrix** β heatmap from `workflow_df`. Rows = workflows (sorted by `workflow_instability_score` desc), columns = `[risky_run_rate, poor_control_rate, resource_heavy_rate, latest_success_fallback_rate, blocked_request_rate, mcp_failure_rate]`. Save to `chart_stability_matrix.png`.
-
-5. **Repository Portfolio Map** β scatter from `workflow_df`. x-axis: recent cost (or effective tokens as fallback), y-axis: `workflow_value_proxy`, size: run count, color: recommendation bucket. Add quadrant labels: `keep` (high value, low cost), `optimize` (high value, high cost), `simplify` (low value, low cost), `review` (low value, high cost). Save to `chart_portfolio_map.png`.
-
-Fallbacks: if data is too sparse for a chart, generate a simplified version with the same filename and explain the limitation in-report.
-
-## Phase 5 β Publish Discussion
-
-Create one discussion with the following structure. **Charts appear before all text walls.**
-
-```
-### π Executive Summary
-
-- **Period**: last 7 days (YYYY-MM-DD to YYYY-MM-DD)
-- **Total runs**: N | **Total tokens**: N,NNN,NNN | **Total cost**: $X.XX | **Action minutes**: X.Xm
-- **Active workflows**: N | **Episodes analyzed**: N | **High-confidence episodes**: N
-- **Heavy-hitters** (>30% token share): workflow list
-- **Optimization target this week**: [workflow name] β estimated savings: N tokens/run
-
-### π Visual Diagnostics
-
-#### 1. Token Usage by Workflow
-
-
-**Decision**: [One sentence identifying the top consumers and whether the ranking is expected.]
-
-#### 2. Historical Token Trend
-
-
-**Decision**: [One sentence on week-over-week direction β improving, flat, or worsening.]
-
-#### 3. Episode RiskβCost Frontier
-
-
-**Decision**: [One sentence naming the frontier episodes and immediate implication.]
-**Why it matters**: [One or two sentences on whether cost or risk dominates.]
-
-#### 4. Workflow Stability Matrix
-
-
-**Decision**: [One sentence naming the least stable workflows.]
-**Why it matters**: [One or two sentences on whether instability is broad or concentrated.]
-
-#### 5. Repository Portfolio Map
-
-
-**Decision**: [One sentence naming workflows in each quadrant.]
-**Why it matters**: [One or two sentences on the dominant portfolio tradeoff.]
-
-### π¨ Escalation Targets
-
-[List only workflows that crossed escalation thresholds; skip section if none.]
-- **[workflow]**: [reason code list] β `suggested_route`
-
-### π― Optimization Target: [WORKFLOW NAME]
-
-**Why selected**: [reason β highest tokens, not recently optimized]
-**Runs analyzed**: N over 7 days | Avg tokens/run: N | Avg cost/run: $X.XX | Avg turns/run: X
-
-| Rank | Recommendation | Est. Savings/Run | Action |
-|---|---|---|---|
-| 1 | ... | ~N tokens | ... |
-| 2 | ... | ~N tokens | ... |
-
-### π‘ 5 Actionable Prompts
-
-Mine these prompts to drive continuous optimization. Each is a ready-to-use instruction for an AI agent or coding assistant.
-
-#### π§ Prompt 1 β Optimization (highest ROI workflow)
-
-```prompt
-[Complete optimization prompt: name the workflow, list the top 2β3 concrete edits to frontmatter/prompt/tools, state expected token savings per run, and reference the evidence run IDs.]
-```
-
-#### π‘οΈ Prompt 2 β Stability Fix (repeat offender workflow)
-
-```prompt
-[Complete stability prompt: name the workflow, describe the specific MCP failure / blocked-request / write-posture drift pattern, and provide the concrete configuration or prompt change to fix it.]
-```
-
-#### π Prompt 3 β Consolidation (top overlap pair)
-
-```prompt
-[Complete consolidation prompt: name the two workflows to merge, explain why they overlap (same domain + schedule + behavior cluster), describe which one to keep as the base, and list what the surviving workflow needs to absorb.]
-```
-
-#### βοΈ Prompt 4 β Right-sizing (overkill workflow)
-
-```prompt
-[Complete right-sizing prompt: name the overkill workflow, explain why it is overkill (domain + tool breadth + cost profile), and recommend a specific alternative: deterministic replacement, smaller model routing, or tool removal.]
-```
-
-#### π Prompt 5 β Escalation (owner-routed, evidence-linked)
-
-```prompt
-[Complete escalation prompt: list the escalated workflows/episodes in priority order, state the specific regression or threshold crossed, link up to 3 representative runs, and recommend the first concrete action for the repository owner. If no escalation threshold was crossed, write a portfolio maintenance prompt instead targeting the top review-quadrant workflow.]
-```
-
-
-Full Per-Workflow Baseline Breakdown (7 days)
-
-[Complete table: all workflows sorted by total tokens, with run count, avg tokens/run, total cost, avg turns/run, error count, warning count.]
-
-
-
-
-Episode Detail
-
-[Top episodes by risk score with confidence, run count, total cost, escalation_reason where present.]
-
-
-
-
-Portfolio Opportunities
-
-[Stale workflows, overlap pairs with overlap scores, and overkill candidates not in the optimization this week.]
-
-
-
-
-Optimization Analysis Detail: [WORKFLOW NAME]
-
-[Full 4-area analysis matrix with evidence tables per area.]
-
-
-```
-
-## Phase 6 β Escalation Issue (Conditional)
-
-Create one escalation issue **only** when at least one of these conditions holds across the last 14 days (the 14-day window balances recency with enough signal to distinguish noise from a real regression; "two or more" is used throughout so that a single flaky run cannot trigger an issue β two independent crossings in the same window indicate a pattern):
-
-1. `episodes[].escalation_eligible == true` for any episode.
-2. Two or more runs for the same workflow have `comparison.classification.label == "risky"`.
-3. Two or more runs have `new_mcp_failure` or `blocked_requests_increase` in `comparison.classification.reason_codes`.
-4. Two or more runs for the same workflow have a medium or high severity (not low) `resource_heavy_for_domain` or `poor_agentic_control` assessment β medium and high are used because low-severity assessments are informational and do not require owner action.
-
-Issue must: name affected workflows in priority order, explain evidence with run counts and reason codes, include `suggested_route` per episode, link up to 3 representative runs, and state the recommended first action. Keep it concise β the full analysis lives in the discussion.
-
-If no threshold is crossed, do not create an issue. Use `noop` only if no run data could be obtained at all.
-
-## Guardrails
-
-- Use pre-downloaded data for baseline; use MCP `logs` tool for the 30-day episode analysis.
-- Keep recommendations evidence-based and low-risk. Audit β₯5 runs before tool-removal recommendations.
-- Do not modify prior audit snapshots; only update `rolling-summary.json` and `optimization-log.json`.
-- Report structure: **charts first**, then compact summaries, then `` for long text.
-- Always emit all 5 prompts even when evidence for a category is thin β use the best available candidate and note uncertainty.
diff --git a/docs/src/content/docs/patterns/agentic-observability-kit.md b/docs/src/content/docs/patterns/agentic-observability-kit.md
deleted file mode 100644
index a1ac912eac8..00000000000
--- a/docs/src/content/docs/patterns/agentic-observability-kit.md
+++ /dev/null
@@ -1,251 +0,0 @@
----
-title: Agentic Observability Kit
-description: Use the built-in Agentic Observability Kit to review agentic workflow behavior, detect regressions, and identify evidence-based repository portfolio cleanup opportunities.
----
-
-> [!WARNING]
-> **Experimental:** The Agentic Observability Kit is still experimental! Things may break, change, or be removed without deprecation at any time.
-
-The Agentic Observability Kit reviews recent agentic workflow runs in a repository and produces one operator-facing report. It reads run history, episode rollups, and selective audit details, posts a discussion with the results and opens one escalation issue only when repeated patterns warrant owner action.
-
-The kit now also includes an evidence-based repository portfolio review. In the same report, maintainers can call out workflows that look stale, overlapping, weakly justified for their recent cost, or consistently overbuilt for the task domain they serve.
-
-This pattern is useful when a repository has enough agentic activity that per-run inspection is too noisy, but maintainers still need practical answers to questions such as which workflows are drifting, which runs are expensive for their domain, which orchestrated chains are accumulating risk, and which workflows may no longer justify their current form.
-
-## Scope
-
-The built-in workflow is repository-scoped. The report combines two layers:
-
-- operational observability for recent runs, episodes, regressions, and control failures
-- an evidence-based portfolio appendix for overlap, stale workflows, and weakly justified agentic workflows
-
-The same pattern extends to organization and enterprise scope via central repository aggregation β see [Deployment by scope](#deployment-by-scope) below. Organization-wide and enterprise-wide deployments require additional cross-repository authentication, central orchestration, and portfolio aggregation logic beyond the single built-in workflow.
-
-## Deployment by scope
-
-The practical setup differs by scope.
-
-### Single repository: install the built-in workflow
-
-For one repository, use the built-in workflow directly and keep the report local to that repository.
-
-```aw wrap
----
-on:
- schedule: weekly on monday around 08:00
- workflow_dispatch:
-permissions:
- contents: read
- actions: read
- issues: read
- pull-requests: read
- discussions: read
-engine: copilot
-tools:
- agentic-workflows:
- github:
- toolsets: [default, discussions]
-safe-outputs:
- create-issue:
- title-prefix: "[observability escalation] "
- max: 1
----
-
-# Agentic Observability Kit
-
-Review recent agentic workflow runs in this repository and publish one discussion-oriented report.
-```
-
-This is the right default when maintainers want repository-local visibility and repository-local ownership, including an evidence-based review of whether current workflows still look justified for the repository.
-
-### One organization: aggregate from a central repository
-
-For an organization, prefer one central repository that discovers target repositories, pulls per-repository observability data, and publishes an organization-level rollup.
-
-```aw wrap
----
-on:
- schedule: weekly on monday around 09:00
- workflow_dispatch:
-permissions:
- contents: read
- actions: read
- discussions: read
-engine: copilot
-tools:
- github:
- github-token: ${{ secrets.GH_AW_READ_ORG_TOKEN }}
- toolsets: [repos]
- bash:
- - "gh aw logs *"
-safe-outputs:
- create-discussion:
- max: 1
----
-
-# Organization Observability Rollup
-
-Discover target repositories, collect per-repository `gh aw logs --json --repo owner/repo` output, and generate one organization-level summary.
-```
-
-This is the recommended org-wide model because it centralizes authentication, repository allowlists, aggregation logic, and routing decisions. If each repository needs its own local discussion, install the built-in workflow there too, but treat the central rollup as the broader portfolio view.
-
-### Enterprise-wide: extend the central aggregation pattern
-
-For multiple organizations, use one or more control-plane repositories that aggregate across repository groups, business units, or organizations.
-
-```aw wrap
----
-on:
- schedule: weekly on monday around 10:00
- workflow_dispatch:
-permissions:
- contents: read
- actions: read
- discussions: read
-engine: copilot
-tools:
- github:
- github-token: ${{ secrets.GH_AW_ENTERPRISE_READ_TOKEN }}
- toolsets: [repos, orgs]
- bash:
- - "gh aw logs *"
-safe-outputs:
- create-discussion:
- max: 1
----
-
-# Enterprise Observability Rollup
-
-Collect normalized observability data across approved organizations and repositories, then publish a portfolio report with shared routing and prioritization.
-```
-
-This should be treated as fleet operations. The goal is not to replicate the repository-level workflow everywhere and stitch the output together later. The goal is to keep aggregation, policy, and prioritization in one place.
-
-> [!TIP]
-> For org-wide and enterprise-wide deployment, start with a pilot allowlist of repositories before expanding coverage. The central aggregation model is operationally safer when authentication, repo discovery, and rollup logic are still being tuned.
-
-## What it analyzes
-
-Built around `gh aw logs`, the kit prefers `episodes[]` and `edges[]` to analyze orchestrator and worker runs as one logical execution, avoiding misreads of delegated runs in isolation. When episode summaries are insufficient, it audits individual runs to explain regressions or MCP failures. For portfolio review, it uses targeted workflow-file inspection to confirm trigger or schedule overlap.
-
-It consumes signals from `gh aw logs` and `gh aw audit`:
-
-- Episode-level rollups for lineage, risk, blocked requests, MCP failures, and suggested route
-- Per-run metrics: duration, action minutes, token usage, turns, warnings, and `estimated_cost`
-- Effective Tokens β a normalized metric weighting input, output, cache-read, and cache-write tokens by per-model multiplier, enabling cross-run and cross-model comparisons
-- Behavior fingerprints and agentic assessments to distinguish overkill workflows from genuinely agentic ones
-- Portfolio signals from repeated overkill assessments, weak activity, instability, and workflow overlap
-
-## Visual report form
-
-The kit can produce a chart-backed report format designed for fast interpretation. Instead of relying only on prose, the discussion can include a `Visual Diagnostics` section with a small number of scientific-style plots that make portfolio and observability signals legible at a glance.
-
-The kit is designed around four fixed plot types, each answering a different maintainer question:
-
-| Chart | What it shows | Key question |
-|-------|---------------|--------------|
-| **Episode Risk-Cost Frontier** | Episodes in cost-risk space (x=cost, y=risk score derived from risky nodes/MCP failures/blocked requests, size=run count) | Which execution chains sit on the cost-risk frontier? |
-| **Workflow Stability Matrix** | Workflow-by-metric heatmap of instability signals (risky run rate, fallback rate, poor-control rate, etc.) | Which workflows are chronically unstable vs. noisy in one dimension? |
-| **Repository Portfolio Map** | Scatter by cost/value proxy; quadrants labeled keep/optimize/simplify/review | Which workflows deserve investment, simplification, or a decision? |
-| **Workflow Overlap Matrix** | Workflow-by-workflow similarity heatmap (task domain, trigger/schedule, fingerprints) | Which workflows solve the same problem closely enough to justify consolidation? |
-
-Each chart should support a decision: the overlap matrix targets consolidation review, the portfolio map targets prioritization, and the risk-cost frontier targets immediate optimization. Read plots outcome-adjusted β cost per successful run is more useful than raw spend; effective tokens per successful run is more useful than raw token totals.
-
-## Metric glossary
-
-| Metric | Definition |
-|--------|-----------|
-| `episode_risk_score` | Composite risk score combining risky nodes, poor-control nodes, MCP failures, blocked requests, regression markers, and escalation eligibility |
-| `workflow_instability_score` | Workflow-level score from repeated risky runs, poor-control assessments, resource-heavy assessments, fallback usage, and MCP failures β separates chronic instability from one-off incidents |
-| `workflow_value_proxy` | Repository-local value proxy (not a business KPI) combining recent successful usage, stability, repeat use, and absence of overkill signals β used to rank workflows into keep/optimize/simplify/review |
-| `workflow_overlap_score` | Approximate similarity between two workflows, blending task domain, trigger/schedule similarity, naming, and behavioral fingerprints β supports consolidation review, not proof of duplication |
-| `cost per successful run` | Preferred cost view that separates expensive-but-effective workflows from expensive-and-unreliable ones |
-| `effective tokens per successful run` | Preferred token-efficiency view across routes and models, accounting for token class weighting and model multipliers |
-
-## Calibration from a real repository sample
-
-A live sample of recent runs in this repository surfaced three calibration lessons:
-
-1. **Sparse cost data**: Effective Tokens carried more usable signal than estimated dollar cost. When cost fields are sparse, switch the portfolio map's x-axis to Effective Tokens per successful run.
-2. **Coarse task domains**: Most runs landed in `general_automation`, but behavior fingerprints (directed/exploratory/adaptive) still separated them meaningfully. Compare by behavior cluster when the domain layer is too coarse.
-3. **`partially_reducible` is a hint, not a verdict**: Treat it as significant only when paired with high Effective Tokens, high turn counts, or repeated resource-heavy assessments.
-
-## Domain-specific reading
-
-The same signals mean different things across workflow types. Compare within similar domains first β a cheap triage workflow and an expensive research workflow are not substitutes for each other.
-
-| Domain | Key question | Notes |
-|--------|--------------|-------|
-| `triage`, `repo_maintenance`, `issue_response` | Is the workflow too agentic for its job? | Strongest candidates for deterministic replacements, smaller models, narrow-tool routing |
-| `research` | Does repeated cost have evidence of value? | Consider moving data-gathering into deterministic pre-steps; keep agent for the analytical core |
-| `code_fix` | Does cost combine with instability, blocked requests, or weak control? | Higher cost is acceptable when write actions are intentional and controlled |
-| `release_ops` | Is the workflow stable and repeatable? | Reliability dominates; moderate cost is acceptable, repeated instability is not |
-| Delegated workflows | Is the worker justified within its episode chain? | A worker expensive in isolation may be fine inside a coherent larger execution |
-
-### Report form
-
-The most useful discussion form is:
-
-1. `Executive Summary` for the overall decision.
-2. `Key Metrics` for repository-level scale.
-3. `Highest Risk Episodes` and `Episode Regressions` for operational findings.
-4. `Visual Diagnostics` with the four charts in the fixed order above.
-5. `Portfolio Opportunities` for repository-level cleanup candidates.
-6. `Recommended Actions` for the final ranked decisions.
-
-Under each chart, the report should include two short blocks: `Decision` and `Why it matters`. That keeps the visuals analytical instead of decorative.
-
-## Why it matters for COGS reduction
-
-The kit turns agentic workflow spend into a reviewable operational signal. It surfaces four common sources of waste:
-
-- **Overbuilt workflows**: Resource-heavy runs, repeated `latest_success` comparisons, or overkill assessments signal candidates for smaller models, tighter prompts, or deterministic automation.
-- **Avoidable control failures**: Repeated blocked requests, MCP failures, or poor-control assessments mean tokens and Actions minutes are going to retries and fallback paths rather than useful work.
-- **Hidden orchestration costs**: Episode rollups expose the true aggregate cost of distributed workflows that dispatch workers or chain `workflow_run` triggers.
-- **Low-priority optimization**: Escalation logic groups repeated problems into a single actionable report, so owners focus on the highest-value fixes rather than one issue per workflow.
-
-## Accuracy and cost caveats
-
-The kit is accurate as an observability and optimization tool, but its cost signals are not equivalent to billing records.
-
-`action_minutes` is an estimate derived from workflow duration and rounded to billable minutes. It is useful for relative comparison and trend detection, but it does not represent a GitHub invoice line item.
-
-`estimated_cost` is only as authoritative as the engine logs that produced it. For some engines, the value comes from structured log fields emitted by the runtime. For portfolio analysis and prioritization this is usually sufficient, but the number should still be treated as a run-level estimate rather than finance-grade accounting.
-
-Effective Tokens are also intentionally not a billing unit. They are a normalization layer that makes cross-run and cross-model comparisons more useful. Use them to answer βwhich workflows are inefficient?β rather than βwhat exact amount will appear on the invoice?β
-
-## When to use it
-
-This pattern is a good fit when:
-
-- A repository has multiple agentic workflows and maintainers need a weekly operational summary.
-- Orchestrated workflows make per-run analysis misleading.
-- The team wants an evidence-based way to identify model downgrades, prompt tightening, deterministic replacements, or workflow cleanup candidates.
-- The repository already uses `gh aw logs` and `gh aw audit` for investigation and wants the same signals in an automated report.
-
-This pattern is a poor fit when a repository has only one low-frequency workflow or when exact billing reconciliation is the primary requirement.
-
-For organization-wide or enterprise-wide deployment, it is also a poor fit as a direct copy-paste workflow if there is no central repository, no cross-repository token strategy, or no clear allowlist of repositories to observe.
-
-## Relationship to other tools
-
-The kit does not replace the lower-level debugging tools.
-
-- Use [`gh aw logs`](/gh-aw/reference/audit/#gh-aw-logs---format-fmt) to inspect cross-run trends directly.
-- Use [`gh aw audit`](/gh-aw/reference/audit/#gh-aw-audit-run-id-or-url-run-id-or-url) for a detailed single-run report.
-- Use [Cost Management](/gh-aw/reference/cost-management/) to understand Actions minutes, inference spend, and optimization levers.
-- Use [Cross-Repository Operations](/gh-aw/reference/cross-repository/) and [MultiRepoOps](/gh-aw/patterns/multi-repo-ops/) when the observability workflow needs to read or coordinate across multiple repositories.
-
-The Agentic Observability Kit sits above those tools. It is the scheduled reviewer that turns those raw signals into one repository-level report.
-
-## Portfolio review capabilities
-
-The standalone `portfolio-analyst` workflow has been superseded by the Agentic Observability Kit. Maintainers who want one weekly report should use the kit instead of running both workflows. The highest-value cleanup candidates are workflows dominated on more than one axis β expensive and unstable, cheap but consistently low-value, or overlapping and weaker than a nearby alternative.
-
-## Source workflow
-
-The built-in workflow lives at [`/.github/workflows/agentic-observability-kit.md`](https://github.com/github/gh-aw/blob/main/.github/workflows/agentic-observability-kit.md).
-
-> [!NOTE]
-> The workflow prompt prefers deterministic episode data over prompt-time reconstruction. If episode data is missing or incomplete, the report is expected to call that out as an observability finding rather than silently guessing.