diff --git a/.github/aw/memory.md b/.github/aw/memory.md index 0067b6d7638..8372cf1dfbb 100644 --- a/.github/aw/memory.md +++ b/.github/aw/memory.md @@ -97,6 +97,10 @@ tools: - Single cache: `/tmp/gh-aw/cache-memory/` - Multiple caches: `/tmp/gh-aw/cache-memory/{id}/` +### Branch scoping + +Caches are **branch-scoped**: a run restores from caches saved on the same branch, with GitHub Actions also allowing fallback restore from the default branch (typically `main`). A non-default branch's first restore usually comes from the default branch; subsequent saves fork a branch-local lineage. For workflows that depend on warmed state, prefer scheduling on the default branch so each run reuses and updates one lineage instead of fragmenting state across feature branches. + ### Deduplication example (scheduled workflow) The following pattern lets a scheduled workflow skip items it has already processed: diff --git a/.github/aw/syntax-agentic.md b/.github/aw/syntax-agentic.md index 83759e8fa12..f5e9206412b 100644 --- a/.github/aw/syntax-agentic.md +++ b/.github/aw/syntax-agentic.md @@ -301,6 +301,7 @@ description: Agentic workflow specific frontmatter fields for GitHub Agentic Wor - **`gemini` engine**: Google Gemini CLI. Requires `GEMINI_API_KEY` secret. Does not support `max-turns`, `web-fetch`, or `web-search`. Supports AWF firewall and LLM gateway. - **`opencode` engine** (experimental): Provider-agnostic, open-source AI coding agent (BYOK). Defaults to Copilot routing via `COPILOT_GITHUB_TOKEN` (or `${{ github.token }}` with `copilot-requests` feature). Supports 75+ models via `provider/model` format. Supports AWF firewall and LLM gateway. - **`copilot-sdk` / `copilot-sdk-driver`** (experimental, copilot only): set `copilot-sdk: true` to start a headless Copilot CLI SDK sidecar; `copilot-sdk-driver: ` supplies a custom driver (`.js`/`.cjs`/`.mjs`/`.py`/`.ts`/`.mts`/`.rb`, or a bare PATH command) and implies `copilot-sdk: true`. Tune the repeated-tool-denial safeguard with the top-level `max-tool-denials:` field (default `5`). + - **`engine.auth:`** — keyless Workload Identity Federation via the AWF API proxy instead of a static API key; requires `id-token: write`. Set `type: github-oidc` (only supported type) plus `provider: azure` (`azure-tenant-id`, `azure-client-id`, optional `azure-scope`/`azure-cloud`) for Azure OpenAI, or `provider: anthropic` (`federation-rule-id`, `organization-id`, `service-account-id`, `workspace-id`) for Claude. Optional `audience:`. Maps to `AWF_AUTH_*` env vars. - **`network:`** - Network access control for AI engines (top-level field) - String format: `"defaults"` (curated allow-list of development domains)