diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index e64b704ed13..fd667b85c2c 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"27465bad2a2328fd5f4ea18e00881a4996ec1ccb258079f63b922025c714470f","agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 6657337bd68..2dd42e4e9d6 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"78287fe84a612788fa9e2681f317889ce12753d3ada6d1d39ea39bf0ae5fc47b","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 2c33c106608..bbce25fb943 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"df8ee8e4d6ff58de0774bef7fbf88c90b0aab97064e3fe92662c062977bfdb32","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/agentic-observability-kit.lock.yml b/.github/workflows/agentic-observability-kit.lock.yml index 29027a19a1f..6dd9cea1186 100644 --- a/.github/workflows/agentic-observability-kit.lock.yml +++ b/.github/workflows/agentic-observability-kit.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"b373a12ddb2d6478ce32c3aec14c02e01381f092cfd176469bd76e948695e52f","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 37f4ca9e0b7..dc4311e85df 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"d00bfe2cc99064fc6e54a08c4fa7e32813cc60f1a52fcf820a32b38d80d3a534","strict":true,"agent_id":"codex"} +# gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions/cache","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/api-consumption-report.lock.yml b/.github/workflows/api-consumption-report.lock.yml index 5d889c68e75..c234a0bcf03 100644 --- a/.github/workflows/api-consumption-report.lock.yml +++ b/.github/workflows/api-consumption-report.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c3a7f595232fc33b4ac6bb50e37dc0f7a9f865e571921c355dbc0291896375e1","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 49ee350b9d9..bf961291e03 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"cef991e4899d8eed54259bc2844f9b763d5a1731bea07632148890e4163e9f8a","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 2216b0e384f..96d4f6b2e68 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"eaa1f38cf00c496f273056586fc94c3907390cf6918573d826353d68134ed1d1","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 294b6d2961f..bdc8e1e4a16 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"184d8fc30bc7b23f8d98932c7f1d4d6469fe64f2ce1872c3dc67d37cce513bd2","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 3e665522fd4..63ae07123b2 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"395091b3248ae0bfdd9169fe4e375b45de1a524b5a1c7ac4189864a829171a9e","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 40d4afd23ef..46ed3aeb61f 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"27951079b449233790f02fda054a0e2b5f85e02ed9b005debc91a0c9529c788e","agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index d2cb895bf7a..c35bed803b3 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"fd48550f1cc134361d5d1824e474b278a25c7d7713560fdb20546fc3c63eaf58","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 807eb8703ea..475aff1c9fb 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"7a1207f23c543fac19ce5c6a56703ce4c48c2bbdc62e8147af2d2325d31c7a51","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["BRAVE_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 94b99804c00..eeefabd58bf 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"72c5d14586c0c054bfab13bebc68d2cb455854b9e4f86832cc1fa24920e2bea0","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_AGENT_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 406c350b12e..1e0f93edc7f 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8c85795f43a59a771922431c18dad77f4ae4f3283e6341507dd876e3122a992a","strict":true,"agent_id":"codex","agent_model":"gpt-5.1-codex-mini"} +# gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 93303ec2f5d..fccdcb81bb4 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"7071037ad5532e6ba79c2369ce479dcf001731620fca16aaa20336c250ce6fc9","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 472e4daf340..fd4ff41e58e 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c9b1a429ee022b1e54c33a6b8958f679c7f55c449779f2af49a8af4628c6e10b","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1aae5c7829e..54e41ec63ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -177,6 +177,9 @@ jobs: - name: "CLI Compile & Poutine" packages: "./pkg/cli" pattern: "^TestCompile[^W]|TestPoutine" # Exclude TestCompileWorkflows to avoid duplicates + - name: "CLI Safe Update" + packages: "./pkg/cli" + pattern: "^TestSafeUpdate" - name: "CLI MCP Connectivity" packages: "./pkg/cli" pattern: "TestMCPInspectPlaywright|TestMCPGateway" @@ -213,7 +216,7 @@ jobs: - name: "CLI Completion & Other" # Remaining catch-all (reduced from original) packages: "./pkg/cli" pattern: "" # Catch-all for tests not matched by other CLI patterns - skip_pattern: "^TestCompile[^W]|TestPoutine|TestMCPInspectPlaywright|TestMCPGateway|TestMCPAdd|TestMCPInspectGitHub|TestMCPServer|TestMCPConfig|TestLogs|TestFirewall|TestNoStopTime|TestLocalWorkflow|TestProgressFlagSignature|TestConnectHTTPMCPServer|TestCompileWorkflows_EmptyMarkdown|TestCompileWithZizmor|TestCompileWithPoutine|TestCompileWithPoutineAndZizmor|^TestAdd|^TestList|^TestUpdate|^TestAudit|^TestInspect|TestDockerBuild|TestDockerImage" + skip_pattern: "^TestCompile[^W]|TestPoutine|TestSafeUpdate|TestMCPInspectPlaywright|TestMCPGateway|TestMCPAdd|TestMCPInspectGitHub|TestMCPServer|TestMCPConfig|TestLogs|TestFirewall|TestNoStopTime|TestLocalWorkflow|TestProgressFlagSignature|TestConnectHTTPMCPServer|TestCompileWorkflows_EmptyMarkdown|TestCompileWithZizmor|TestCompileWithPoutine|TestCompileWithPoutineAndZizmor|^TestAdd|^TestList|^TestUpdate|^TestAudit|^TestInspect|TestDockerBuild|TestDockerImage" - name: "Workflow Compiler" packages: "./pkg/workflow" pattern: "TestCompile|TestWorkflow|TestGenerate|TestParse" diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 46e1b9aabf8..452f95fc280 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"9c3fb936860c8bb48701759f789c33c501d3cf114cc983841e270c80a60f190d","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 329284cddb7..50d1712cad2 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"38cbd0bad1bb4196f0b3b2b2f6512214c6986f1f0615191a9dd4aa8be3f07b52","agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 1c445db97f8..51dddcc4536 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"f1edaf6fb88a3f4f73256faa6a1c60181f239cbc5e01436d07f90b282d6bff79","agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 4a26700c3ac..6fae199e597 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"d5d748e083e16fd9f74dbf57ee5acc541750f35020c710b49599ced64d34ae87","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index bb97374c597..1399ad3f249 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"7cd994a53cc8354f98bb296436e9f2839d7431c52e5bd254a5b4003c1c61bf85","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 017485580e4..0e105fbc374 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"beabc3a4f65883ff74f93fde85a541b24c5e31db2f5390f2c4d69d5460f0c7ae","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 7c9e881edd7..a3e8132c19a 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"5ab6849e01b879f9ef5b024355eb7f903b410418619f128c6a71bbe826a24fd1","strict":true,"agent_id":"codex"} +# gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index a640fbf79f5..d3a29fc5257 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"4a29095b6ca7c901495d8242d934dc97c34547f19593886381bd2baa41502596","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index fe9e570f9f2..77a7aeaf9c9 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"b614d2b177f891f2474ec04ef2dadf47a16142bc2933d8a36a8e165870fae677","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 97a3d21b2d4..e3ca2d46f41 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c6a3f4c1233714c024d91fc9b1c524d86770132bae2044a11ce34b31aeaaa870","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 66c161e35e4..6c1077c7104 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"516b41602c0ef159ef589bb5951483aad785ae3a84262cb7316c0999d87d5ee5","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 9cb545c9193..6ae9079a21f 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"a02477d504affad8243f290b6650b942bc559e08393c2ddc98618469afeda7fa","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index b647bb6c208..2ab6f05bab5 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"75f825fd2068d558449e2b05450d7a6410d7f0d74817065330e715e36e0fcbbc","agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 82e93e38ed7..a1af8ad9d46 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"ab224383b55d511a04b35f261e1bcfe5c738ac0236c5bcebbb8d9183e650a233","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 06beb469074..4488d6b7bdb 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"1dca46511393aed425b6af49cdf2d52922d4a19e5994aa2e2d1eea8c6547b0dd","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 785ba36a65a..ccfad3762d4 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"0666485352daa9af36a20e72735d662cc8c9ae8f7d0ede5ea33fc6df920980bd","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/copilot-token-audit.lock.yml b/.github/workflows/copilot-token-audit.lock.yml index c8a3e2a0634..200a9154dc2 100644 --- a/.github/workflows/copilot-token-audit.lock.yml +++ b/.github/workflows/copilot-token-audit.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"30107ff06ddff13a593f175c86fe6ac713e80c7174980a1b05dddccb48fff938","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"astral-sh/setup-uv","sha":"eac588ad8def6316056a12d4907a9d4d84ff7a3b","version":"eac588ad8def6316056a12d4907a9d4d84ff7a3b"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/copilot-token-optimizer.lock.yml b/.github/workflows/copilot-token-optimizer.lock.yml index bb95deddf3d..5bea9873655 100644 --- a/.github/workflows/copilot-token-optimizer.lock.yml +++ b/.github/workflows/copilot-token-optimizer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"d165c9656088312e3645272964379a361d0b1ae8ec97f0acd7b1cfb18bdd4abe","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"astral-sh/setup-uv","sha":"eac588ad8def6316056a12d4907a9d4d84ff7a3b","version":"eac588ad8def6316056a12d4907a9d4d84ff7a3b"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index fc1c9615078..f0a5834d81d 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"5a2cd3baa75635b0241c0e8214512a7b4e64e27c1b16d1d2829f3bfae850df92","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 101dba0a9e4..640231205bf 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"b21152b2a2cb33c9790687b63215f21ba3e8b655a6e6a50e096e01a0ab4d8171","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 4dd1729bcbf..d2f6a0d2329 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"b8837697959ccef3a9e25c836ac34b77f03c06abead767b2801fd07edcffce71","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 2d274d0a1ce..380a240c372 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"ea995e6fa82049e5d0bfad33162e648f8be979169957dcfc48618ee616d16acd","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index b91894b4d58..caa9463846b 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"ca6c6ea818fe4a3b74562aac0d4b7a689adb0f24060562fa46cdaa2b54a8c257","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index ff554f7f779..cf7deb540ac 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"95fa78ac1f6600b89aa4380965c5deb05def45cbd07a9c6396b4f2baee9627ec","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 528971c9425..e83809a3d84 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"fe7b2c9509e4a0b1d3b0e4779f4fc34d6f5c69c392a658b819b138f6341536a0","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index aa920f70ae8..5eb12dc8f7e 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"d8410a2acd1463842c4bee4697418ffda12f92bdc759581c5f2eaac251b2c077","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 9af868c272b..2cfb386f6fe 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"07df264f3ff60e79b2664e791a5a2f09c63287cd9993bbf89150da5fffa1ae39","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 6c1ac223d1f..ce4cbceca79 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"42db22b7521742ad72a2fea245170040de1e21f14343362ce4f27d1ce15db92a","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_AGENT_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 8fe8d4249b4..7749d8453ff 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"61802c7637cbef894e5a8dcb661d01b2f5282079eaff42649df9280af91eba04","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index b63317dd82c..9dcc49e60a2 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"f30e2e8af65bbdca1d696a63d2d0fd8c58c5af55f900c07ebf15ad33abd07a2a","strict":true,"agent_id":"codex","agent_model":"gpt-5.1-codex-mini"} +# gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 78ee1a19ba8..8d8bb1227f2 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"a853c3c3f23a871170c1b64ff3616146c84293975cb868feecd07ae1bf99793c","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 4fdd070118a..1b69f90e87a 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"a05a545069bfaa7f5ef536c120ea9d44ab928420e30c926830ca890463a28991","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index e44ca3cbf9b..dad81928b65 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"e794fc73524932edc2c34e2dc4f908fe6bf3cd373d985d08a5739d2b39bc6372","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-integrity-analysis.lock.yml b/.github/workflows/daily-integrity-analysis.lock.yml index f33f6dea456..b46dfa0a4db 100644 --- a/.github/workflows/daily-integrity-analysis.lock.yml +++ b/.github/workflows/daily-integrity-analysis.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"456b6592c38d14120e7233536c45a931ee7b22bb5df3603ad26a402ee2b82d14","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index ce02282581d..6574a35ca60 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"72dbf860132a4d0ae8db6ca180f997e0372f690ad6fa78d3d036e7f83a09d58b","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index da46d6b95a5..29cb4d62015 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"99bf3c2b742a1d014a04ec5091af42a1fb844a51172f0f6cb47a9cbec63d509d","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"github/codeql-action/upload-sarif","sha":"0e9f55954318745b37b7933c693bc093f7336125","version":"v4.35.1"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 0a7a132c081..622c961049d 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"443e99278b63394f838898d7fb51c4d770ca682c4e465fe7812f0a58ef73e0db","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_AGENT_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index eda4ce6eee5..a99aec49188 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"d2577c6b4aaa777637a8b1214b6e764108c8813f32e154bd59c50c2b9a305b9e","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 75403831113..ac84b867694 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"e5a5b641150892d124f84174486a550043df6ceeae82c6f35889b284e7b1e716","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN","TAVILY_API_KEY"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 2424b3100a8..db15d4bb411 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"6dbc0303a21fefaaf6858ce70a602bbe327bad8cf6dcbbb59bb04ea3012bee14","strict":true,"agent_id":"codex"} +# gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-otel-instrumentation-advisor.lock.yml b/.github/workflows/daily-otel-instrumentation-advisor.lock.yml index 9455d9c6bdc..be1c50c5b1a 100644 --- a/.github/workflows/daily-otel-instrumentation-advisor.lock.yml +++ b/.github/workflows/daily-otel-instrumentation-advisor.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"bedad05bf98468a5684a05ea8cf936a01ce01937bcc163a56404177c39607291","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN","SENTRY_API_KEY"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index e7da6c847f4..441ce566c45 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"dab4404a56f9457a90a60a43c9dcc2c8dc713aaf7b665b10545cbc979104bf45","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 29b030e7272..62b96eb6da6 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"404faf333dea58c0580ea8f2138d28d97575e347c489f6324975cb73af3d2773","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index f567d50c464..135a8621400 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"f5cabce20f980a3560973a0d362fbd67a2c7a4b79e28e90113f6993122b6c55c","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 689b258a9fa..523ba24a899 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"f9ee8487bf0d663497861fc5eed8fa3489a91997b768364e277317c6566fed62","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-safe-output-integrator.lock.yml b/.github/workflows/daily-safe-output-integrator.lock.yml index ec1f49eb04b..4d2d84ea5eb 100644 --- a/.github/workflows/daily-safe-output-integrator.lock.yml +++ b/.github/workflows/daily-safe-output-integrator.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"08e167ca90652a29f4e7139b7523f1f0c9f08cf80e647551878530b5b6849300","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index d5cee807599..216ffdec491 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"6223b54672ea58a836fa9ed9dd01f8b4096242e9a8a226852c5b2ed701a64afb","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 9bbaeee8926..ecdb7828d91 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"749d6ba072cc58f77c11c4c62b9a955fd7642a3cdf11286abdde0c9d3ea67218","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index d11cb820002..3ba6a98276d 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"72e1d0cd291b3e93720c1ad9821e35e72edc3fba2843098e184493463dd11fe1","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index f049ab6e67a..690e0236297 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"87251f5881eb7fdb58ffb6272f689651f7482818ea5a18e2c74afdd8c7b23eed","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 69d1b859298..e792d7f4572 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"382d6fe3b41415b5cae993c2cc5b6ffb80c2e51b44a1c615efc69bf6dcd5ad7b","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"github/codeql-action/upload-sarif","sha":"0e9f55954318745b37b7933c693bc093f7336125","version":"v4.35.1"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index ed31aa63bfe..6a7b869408c 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"3b4232eff1a0cd5bd7ae4e4aa48acf238bc123aa91947ac6f16a5cb9e4ab0d83","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 98eb2bcaee2..5cc5fec9abe 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"da910f3d3a817c351430afabd8b191bea52753486df47a775d569b2c46e7931c","agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index f785b0a8aa1..943fd0da978 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8beac603739b2f4844a217e8ec20a0ef515690daa29fa80355745d7e909b6c9c","stop_time":"2026-02-09 04:24:39","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index ccc6065a2bc..c6c17ba02fa 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"9b8a0ad8ecc713ae5a0ca103385b791fb08f58b7b20d9372ccb27de39ec92f54","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 8b62b42c2b1..5eefee0f318 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"fc193f695cade53bc26256f6fa97846dafdfb8bbfed5279b9d23ffc77eb0e592","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index c355ce44024..facefda154e 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c23eb716e8315a583cf67898540e0a8a6a7b1006dbdd9c3dd0b8c3ba3933422e","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 50186ef32d0..c1bd47615ac 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"767bbaca09434d94313b972a0ef8141d87151cf26e525c8aa82f4fee27d1826e","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index c6b4565dfe4..6b15c692697 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"824c692ca5de2234ae59dcae2168fc2d13cac9aa3ca14fe59139347568d8a3a0","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index b8179fab747..bf3bdd7101e 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"3385b9d23f6b393c771300b0c3cfd146abde6b5bf351064a62425da228008c44","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 1f7bc5cf3b0..161739ab30b 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"936acae1b16aba951a9cc53413a1e64be04525aae607eb3435fc99c9324f6cdd","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index d81af8d5da7..40e0e009efc 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"f118003f8e408d7cadb2e85b53023b481ed91ae92c9b72439159ea3d886358c8","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index e713d124d1a..be18d12e5b4 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"f2db9c60ffade5201b584c2a37f70b4b265da2ed28c9e8080b43dcae2d11ee6c","agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index b9a21e85ef1..266912d8263 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c916c9280e6a4e746fd7edfb30978fc5d870068d63ef349d4f43d5665eba0256","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 5e638f39846..4a0be528db7 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"4b21931b3ece51eb6cee156b903d117287cc99a9c4268483506bfb13bcafdfa4","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index caf4909504f..60b0c7def73 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8bbb367544933bd7a60c7a32d647a5763a8b974f59723056e46692d58347a96c","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 0d5325ea333..6499eb30fd3 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"099f1b955ddb5f6aa943db1153bec1b95c8b6a8d3088f71b21a1c94450fb690b","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 4b1a040f2ff..12b6057faf1 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c6eb2caa9620b443d909c6fdf3be709069b7b91df9578cbf98351a04923d8a25","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 90ff515d820..3d730f9c6ce 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"4c03da6f43eb324285434eacdb515ebb471da4aa442266383eebc7ed682cd946","strict":true,"agent_id":"codex"} +# gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_AGENT_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index d2ab7122139..ff228c66d3c 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"cbc025e1319832edb0b85151db2c36cdde748e467faf1d0d20c646d33e8a0542","agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 365f2641587..739332550b4 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"9df414db30809d112be19a218a775672182db5ae35c0279a4baa8509d8dc447f","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index c8010306b40..31fc08c7646 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"74e501e0d13e7e5a3b2d21418bc8460f5c0023998ac599caa303fec99234b69e","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index f3b8998bd40..5af385a3daa 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"2a0e834ee3cd0e91a2b612df54c1ffa488ab6e446f79ede1851d9af4a6365de0","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index 974c2a2c264..fbbdb52df26 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"3f482fd4077daa43f3de442e51373010b992262926cb396dfadad062cd60126d","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index e70c4273f17..384b74d5864 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8a7f256c121670968e01f0f188be5056f363ca82163386e009e2cc71076669ae","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index e04e072ee0d..ae3df344cd2 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"27e4ecbd62023446ef3354213c3c778ca3839cc72f94b7e7c212cebf46c7f1f6","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index f6d03b81b44..b0aa0dd3a68 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"99a56d17334046f65691c5899578182fd48a441a38e0498586ad54f4c211f837","strict":true,"agent_id":"copilot","agent_model":"gpt-5.1-codex-mini"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index f34a29c63a1..1dba1bb52a4 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"9b640aae4b997ac32d7320316a5a46f2b3dfbaeda7b58ba5e6148f4ec3745ae8","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 6e38498d090..bc1964a8b47 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"9b2dfe08c0d213fee0d2ccab1b71e7b30f8a3f30f72eea47ba07256820a507dc","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 99cd6c08f4f..da48031e513 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"4701538e32cbe3a56742cfc4d67a420e9c704076476b5ad9b212c6e46b0b645a","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 9aff24a963c..c3e804a1357 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"dc2cde38b55169485659d1f07e137cfa8bbf50807971eea3ceabf6c331ab4ba8","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 13c4dcca5c2..b2fa1faf58c 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"1b7f098702e7643df894da19caba20595287aaefc04ba61db7e51e9f040f0918","agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index ff808f6ae83..0f879a56149 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"7fafdd0e061ebf649879a793ac588736d92cbb1d5022cb5c5f307c5782f70bc7","strict":true,"agent_id":"codex"} +# gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 2684f83054d..872941a8c67 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"5fbe0d7d7a884b35a13db8b5e85d4516fe9ca3feb1b87620988c23b92280441f","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index d069a9b8438..9aa0017fb52 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"294c9591637dd8ed73b97015a73573a11428987e6b5d9bbdf69fb46c9bb9f07b","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 20d977ef315..91a87fc0140 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8eb6521efd0a3da256d5d8122e8e688f327f1746a697564ad27229d7eca12440","strict":true,"agent_id":"codex"} +# gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index d981d7d09f8..732cc090887 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"36780c7b3dfa373ce5fd74314c445dbb2794ba22515e14c31123ee0062f65ea6","strict":true,"agent_id":"copilot","agent_model":"gpt-5.1-codex-mini"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_AGENT_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index d996e7ad8bf..a33abbdef68 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"f4e1d4caf31a9ba3331998df97d2a875fb04f78033d9c3925e5f0a813a6c342b","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 96d9ad7edb2..ca06fb86d9b 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"dd86446c86ebaaeba36e9e964665af7108fbb2b5fad335f400c2378bbf43fc68","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index c220e8033f3..9db727ba560 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"32cec4338cb562bfaaf4c4d96115c5d041fc6a0c0d2cf1ba313a88caa11c7fa8","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 95acf19365c..d4f1ab10285 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"fdfe5ff3afe18bc175832a76b3fe5bc90dff82ee63a1eb7768c6bd8a9108cf15","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index eddc983cf1a..7464f9ad1f9 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c8a47c3aeff6acd01d5c5e432ecbc8b4ed86e51c2cf4e210a98e85e3f580fe3b","agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["AZURE_CLIENT_ID","AZURE_CLIENT_SECRET","AZURE_TENANT_ID","BRAVE_API_KEY","CONTEXT7_API_KEY","COPILOT_GITHUB_TOKEN","DD_API_KEY","DD_APPLICATION_KEY","DD_SITE","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN","NOTION_API_TOKEN","SENTRY_ACCESS_TOKEN","SENTRY_OPENAI_API_KEY","SLACK_BOT_TOKEN","TAVILY_API_KEY"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"astral-sh/setup-uv","sha":"cec208311dfd045dd5311c1add060b2062131d57","version":"v8.0.0"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 72b7b95975f..dbcf08f6e30 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c981d37f11bc2c11773de35070124859129139ba95aff08624c563605165439f","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 10fd25bb309..d4db86264f3 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"b5f384f27d5b48e0c6e4600f71718bafab6244d85c1bf0e04afeadeef6c76147","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 976b310c372..b8c45bdcb28 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"92dea2779599cc352b88f4ecc85cd97c218fdb3693e7d906216308624b4aab66","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN","NOTION_API_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index b30595a3ec6..1c70c004261 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"854516e8df913fa62f2b8288d45ac30f2b2711b98c3d9b8dc25e7e1ff91a977f","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 2ef7ac84943..b0b22da7e7e 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"eb90a6ec345d58c7a3fc8bab0c8431b0a27f9e3b5c933377a053c10756967c91","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index dd912b46a92..57a4495421b 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"2ef6d836d569a09b7c2504cf554ca69cee43f7433fc3aa8ebc52dd31170815bd","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index a5dbd9592b6..36c75a225ea 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"e2d671c2f3b2f83a8609098d8ab054223ef6a120903156fb9d340bdad359a203","strict":true,"agent_id":"copilot","agent_model":"gpt-5"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_AGENT_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 77d98f3c63e..f79264d6358 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"96f96cc39cacd29bba2b533a731b98b8f753665731894d429968bc6976d10354","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index c258a27f2aa..b4d7d304e67 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"3a3569523c6724705718f55fd70609a53530291225ae7a15a0b76da7ec5b59ef","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index b3b50680091..726163b653e 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"192e43dac8430c63fcaef36dc9ecaf928511a154644626ed4650db14473292ed","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 3e14bb2a4d7..d36e513139b 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"faf8c5791431939d907180ff957c037ce53ecd1641d0022121eda2de46fc1a3f","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 7f47bd918bc..978d29c6ab1 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"fea56ce855d62d8ab45a91075e76e3d0e962187e06f6b07d7ca24ecf50d2f4c0","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index f90391abda3..5a2f4a683c6 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"ac89fcdaf6ff5ce52cd3854c0951c11f2bf3b716e36d931d08427f06ec995e0b","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 8a5e8b89ea7..272ebf358e9 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"a24e20b4cb3c287f7e685d1fc703a775a706bc6183adee885c1ab8c440b22fa4","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 4bfd70590fb..e85c615e7ef 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8320cf3937aa521ad81e03ae14a98a09e0bce08e0f87cd11a904d2226bd7c649","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"anchore/sbom-action","sha":"e22c389904149dbc22b58101806040fa8d37a610","version":"v0.24.0"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/login-action","sha":"4907a6ddec9925e35a0a9e82d7399ccc52663121","version":"v4.1.0"},{"repo":"docker/metadata-action","sha":"030e881283bb7a6894de51c315a6bfe6a94e05cf","version":"v6"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 694720e9cb8..c91231cda99 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"0b4bada9496a836ee6efdd29850596f977273575fd68151a8e99678edf7d635c","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index d3b554fe4e9..7b37d8c03be 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"3353c3598b8b70f6c9ad4b1b6d40b6ce12bc6a526a3d0323c46b8b7f71c9b16c","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index f462addd72d..798e0e6e1fd 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c4b901163feff6fa274650fbe23a1ad7741d333f9428684a0845c1baf2cec7c4","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 9f6d6932a83..09e4246cd32 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"d0a1dc5317a1a485182e80d6b6942132e16b2af637d6e359401d4cb31928f55e","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN","TAVILY_API_KEY"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index d1dae510bd1..166719d2642 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"f65ef56b469719c2d7f6f9a4107804e6b7a7dac6357fc3babf2bc73e52451d34","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index bf720482a3e..2a0a4b6407c 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"cea73f8de22ee6d0fc084dcadfd32158202533bd89cefeb391b56a0a130f01e1","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/schema-feature-coverage.lock.yml b/.github/workflows/schema-feature-coverage.lock.yml index 1d937370187..2805c0c7482 100644 --- a/.github/workflows/schema-feature-coverage.lock.yml +++ b/.github/workflows/schema-feature-coverage.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"b2485044fe50ac694b13847b8e81e9843410a1e4742bf2a412d69819d10a11fd","strict":true,"agent_id":"codex"} +# gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index a8a827e5482..c0b1ca50f59 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"fe2c637001fc04b38474ca02069dd34e3010e2ad4067c5ff6bdc2dddea4c37d9","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN","TAVILY_API_KEY"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 35d5c8a8777..b090f7ceaca 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"ac721452420c95290a05ee1132b880e999e484a2f0230c0b0a1fd9ed9a2af142","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index e3f00456f95..05ac4da42fd 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"6ecca246dd0374191c856225bc90cc06e2242edf9eb66809e6794acd1742ba63","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 46529ebf1a6..4790589a1e8 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"61198277500b7cca0b2607a7663b884d3b5dcaedb767286e1449d0b4fe0fc785","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 40e9dc36132..31cbc290a33 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"af533ebfcee6ef0562c1a099c964f0b1cbe1df627ceccd31c0b1ec1e0273906a","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 88126e4ec47..87854f7f49e 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"5fd4d0e409380c23608e3e688e4085262945b249421a29cb45ec8f93e01a6bfc","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index b3b43f501ea..c39dc22a962 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"22dc1d23ad5ad71a5e912572b23834cc8abc63d22950529e0e5355ba0808298d","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 853eeed25b2..2441fc9731d 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"febb5333802364a0c956fa5cb79c58e38f99fb1e06da3fdb22249bfb97c7cf9b","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 4e153d4c700..772f314a227 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"9dfa45dc43501b96d5820283983af09657a9cc7fb2937896dbce6cc48567bfce","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_AGENT_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 7998929d870..1047a31d70e 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"0689bcc33779a4eb30073ded30c26743b845e44c7f45619b90e7ddd0ed52a4b0","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 704b193e163..2fae1528796 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"cabb9d7144dcfe860e1ca6e0134a15a2d90603d342be8b98ec7c487f353683fb","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index 71501f236c8..52bb30b9f32 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c756bd0c55c7bcc0fd9fbbde65f7cacbfbea7b64437453590ba196f42b63e791","strict":true,"agent_id":"codex","agent_model":"gpt-5.1-codex-mini"} +# gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 3ab24d98f41..1b8fc245904 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"454f66031b0e6e619800359b2605b2f9531f48c3cc020512d732938216c4309e","agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GH_AW_PLUGINS_TOKEN","GITHUB_TOKEN","TAVILY_API_KEY"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"},{"repo":"github/codeql-action/upload-sarif","sha":"0e9f55954318745b37b7933c693bc093f7336125","version":"v4.35.1"},{"repo":"microsoft/apm-action","sha":"a190b0b1a91031057144dc136acf9757a59c9e4d","version":"v1.4.1"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index ac9e7cf019c..112f3d2677a 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"36a6bb4d4265c3f19bf5f05afbef41c0b6f36fc73c29514dd70721fde491e981","agent_id":"codex"} +# gh-aw-manifest: {"version":1,"secrets":["CODEX_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN","OPENAI_API_KEY"],"actions":[{"repo":"actions-ecosystem/action-add-labels","sha":"c96b68fec76a0987cd93957189e9abd0b9a72ff1","version":"v1.1.3"},{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 2e3cb4fbaeb..f28eb5f7a53 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"f3ad11103c02b273bf8958c12ebf912959bee3d66916c08d5a0585eb69a593b2","agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index aeced6b14ab..4f7971a6356 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"6d0a385e47ce5ed241f4358e1578525037722f288b64d3dc18289d01bd352fbd","agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 4c341024077..960d3d5aeee 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"183ac727afd39894587c1583781dc7aafb67e0486e3e10ec3b1cf0bc0c06bbd4","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GH_AW_SIDE_REPO_PAT","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index de761430fcc..4c3394b9d2e 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"6fa73425f890e6d8352976a82978abd62ab75f0e8c76c235d19c3487d1402c76","strict":true,"agent_id":"gemini"} +# gh-aw-manifest: {"version":1,"secrets":["GEMINI_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index b3a0de921bb..3ff77015653 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"d8bcc8ab8a733152e54dbd392cc469cf8acf46f91800d17dab1f7587a22186f5","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 7810e28464d..fc6e7c91d90 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8bcae22e790c498a4d0c4a24fc23384ec7be4e39f2bbf10b06bbed77bb070c0f","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GH_AW_PROJECT_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-service-ports.lock.yml b/.github/workflows/smoke-service-ports.lock.yml index d36d69eaa18..6f8d7aee14e 100644 --- a/.github/workflows/smoke-service-ports.lock.yml +++ b/.github/workflows/smoke-service-ports.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"4e6eb08c392b1448e95987ada56dfdfd47e9914daf5da49dfc37e76e60eaa2eb","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index a242c86ec43..d01ca86882c 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"b6f00aacc0138c6dab5d64e347168a6343ecd145b3a0f387fe33d00d145d51d1","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 7b313aa137e..4d6f32c3629 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"210a11e5de26719232a8a53e306c93ae65ba45a77ddf077dbc6ddbedcd7bd4f2","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-dotnet","sha":"c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7","version":"v5.2.0"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-java","sha":"be666c2fcd27ec809703dec50e508c2fdc7f6654","version":"v5.2.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index dd810f07d9f..3f0b85029ac 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"37969d7efee1f2ce613593cabdd72ef4de128a21581b663ac51177ae4e663e3e","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_ENDPOINT","GH_AW_OTEL_HEADERS","GH_AW_SIDE_REPO_PAT","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index 12602d5c200..d1d737ed822 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"70659d13c51a9ae641724fcb962c32d078d6734c237660a62fdc5ccc0e7c999d","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 950f580b308..c741c028352 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"a902b60754d3446607c3e3ee3fc802126f4ae96b4c7a3aa9f579b0c4c30d3fad","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index e29e9f093b1..fd836a01beb 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"771b4788c1532c9d57dcb31e2c09ee99602cb99270beebe73d8c1e79e768eda2","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"github/stale-repos","sha":"25946246f29e8692a397502045e457c4dc96c6e4","version":"v9.0.7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index b3d0b60b075..e494d4447f2 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"869b3b7da437d108347555f117c98d89b01ab2ed5a2be53b6a2742578863909b","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 32390fc198f..bf28c2d95e2 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"013931389b5fee5fd1bfa5c8050369f2de9c3c778fe7d5a829c305f02300098c","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index fb63573e2ef..f5469625e8e 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"a264c4ba93f8e06faac6ccf53833c472a92e3eb4fd9930e9910a4719562e3337","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index a2813e8f862..71d646586fa 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"2ce2d0b512b7d66eaad655313191a13858000f445b94035ad25b974fbe30a84e","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"super-linter/super-linter","sha":"9e863354e3ff62e0727d37183162c4a88873df41","version":"v8.6.0"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 7d50ce48f61..806457ce2fd 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"33b3c7ad42f704f8d0fef6913db279a9e014becaf070a94d58818747e3a69579","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index db5fcedd0df..1d04cf4719b 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8a97b8b917c11d921e962ff02d53e457aa84fd4e83b672aa42f05c820bc87599","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 1513246c542..cb3bdf23455 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"56ed383223178c83cf59d59dc38aa7e14a9cf53f0a4bc96927b48cfdf328eb16","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index b16422015e5..13532a73088 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"4bd8c07c60ebeaf4e44c563129d014bb1e8565000ce66a6a74cea2bc733a6c70","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 440d0926bef..7c96835b4ad 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"919aa9db316c03def96f98fa19bea30f29ce46d039263de87340d928180c4ab8","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_PROJECT_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index 44981c587dd..21233421496 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c1289924ef5c241c6bf7aede9e9822e6fe5e48cd5d6242834bb75725a19e6fd8","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index aa48ee41851..ca6649dd633 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"40b3ed11d8ead35f3b00d50ddab1b4ca82117eb81cdd2fd11133a8618b770177","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 6693f12c1f7..17944094144 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"1fe020449c197612d61cfc4de732359c56421e4e1d07d9798844bf6398acf1cb","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 3ed2f31871b..3b4a2792a5c 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"17771797667713ac9be02e8d82488e686144d32e516fadd663650ae21c06f701","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 9dfd5c54736..248c6a95626 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"1ae4e5383c436b1efe74d4b42f9d98ebbf090b3cb0dcac95947fd88f9417c48d","strict":true,"agent_id":"claude"} +# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/update-astro.lock.yml b/.github/workflows/update-astro.lock.yml index 5edab0e2bb4..3cc08fd2a1b 100644 --- a/.github/workflows/update-astro.lock.yml +++ b/.github/workflows/update-astro.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"6b6e4fc6351d48419353b1289bbc19a82a2c8c0845cc3309d046a41f2187bf94","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 08b016412b1..897c3c7491e 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"94cc0589aede07110b1d6cf1389de05ec934688bb94f1c2d067d22c1b6b31915","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 3be2efb3ec7..147a494386a 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"0139b066770f5a7f66a639d4741dc808fc71ee7c99108f5092836dc06622c047","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 7d3920c4920..98789dfeddb 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"14d8bdeb32a4dc257f4ddd7b84ee9f5339b6369fc2521f4b8640cc1fa9ca22a7","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 1a2f80afe6a..714f321c47d 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"864fb943fd3eb42fddcfbcdcf35799a93dd0938a7ec74d797bd422064ba97b6e","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/cache/save","sha":"668228422ae6a00e4ad889ee87cd7109ec5666a7","version":"v5.0.4"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index cc8c1548d21..c10e6db0a3e 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"2eef978d34fc24da55686e78a0f9e8c21bfb52914f27173715d007bd8e30d4c0","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index ebc5e12dcbe..2d0c797049d 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"cfd7f6135eab81d11cbd703b3436241bc379da2ede370ecb3285f2186bde6d06","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_AGENT_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index c4d2e52adc0..c705e9dcd1c 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"4227776f06975052b956f8bbf91a7aba77854cf8557dccef3f6b99b4125d7c69","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 231c0bb7d5d..2d27d24efff 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c4d3ae709d0b09bf46341c2e6f1f18e49a86247b10f23da62fe5336d26267505","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"docker/build-push-action","sha":"d08e5c354a6adb9ed34480a06d141179aa583294","version":"v7"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 0800a2dc7eb..5130053d783 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -1,4 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"fa23a957b1efd0ee21238a12543a2571f315073a9c05439e5155136ca2a6650d","strict":true,"agent_id":"copilot"} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ diff --git a/cmd/gh-aw/main.go b/cmd/gh-aw/main.go index db94f8c469b..50fe6890ea2 100644 --- a/cmd/gh-aw/main.go +++ b/cmd/gh-aw/main.go @@ -282,6 +282,8 @@ Examples: failFast, _ := cmd.Flags().GetBool("fail-fast") noCheckUpdate, _ := cmd.Flags().GetBool("no-check-update") scheduleSeed, _ := cmd.Flags().GetString("schedule-seed") + safeUpdate, _ := cmd.Flags().GetBool("safe-update") + priorManifestFile, _ := cmd.Flags().GetString("prior-manifest-file") verbose, _ := cmd.Flags().GetBool("verbose") if err := validateEngine(engineOverride); err != nil { return err @@ -335,6 +337,8 @@ Examples: Stats: stats, FailFast: failFast, ScheduleSeed: scheduleSeed, + SafeUpdate: safeUpdate, + PriorManifestFile: priorManifestFile, } if _, err := cli.CompileWorkflows(cmd.Context(), config); err != nil { // Return error as-is without additional formatting @@ -681,6 +685,12 @@ Use "` + string(constants.CLIExtensionPrefix) + ` help all" to show help for all compileCmd.Flags().Bool("fail-fast", false, "Stop at the first validation error instead of collecting all errors") compileCmd.Flags().Bool("no-check-update", false, "Skip checking for gh-aw updates") compileCmd.Flags().String("schedule-seed", "", "Override the repository slug (owner/repo) used as seed for fuzzy schedule scattering (e.g. 'github/gh-aw'). Bypasses git remote detection entirely. Use this when your git remote is not named 'origin' and you have multiple remotes configured") + compileCmd.Flags().Bool("safe-update", false, "Force-enable safe update mode independently of strict mode. Safe update mode is normally equivalent to strict mode: it emits a warning prompt when compilations introduce new restricted secrets or unapproved action additions/removals not present in the existing gh-aw-manifest. Use this flag to enable safe update enforcement on a workflow that has strict: false in its frontmatter") + compileCmd.Flags().String("prior-manifest-file", "", "Path to a JSON file containing pre-cached gh-aw-manifests (map[lockFile]*GHAWManifest); used by the MCP server to supply a tamper-proof manifest baseline captured at startup") + if err := compileCmd.Flags().MarkHidden("prior-manifest-file"); err != nil { + // Non-fatal: flag is registered even if MarkHidden fails + _ = err + } compileCmd.MarkFlagsMutuallyExclusive("dir", "workflows-dir") // Register completions for compile command diff --git a/pkg/cli/compile_compiler_setup.go b/pkg/cli/compile_compiler_setup.go index 0addb763aab..69c5ec70ce7 100644 --- a/pkg/cli/compile_compiler_setup.go +++ b/pkg/cli/compile_compiler_setup.go @@ -155,6 +155,21 @@ func configureCompilerFlags(compiler *workflow.Compiler, config CompileConfig) { if config.ForceRefreshActionPins { compileCompilerSetupLog.Print("Force refresh action pins enabled: will clear cache and resolve all actions from GitHub API") } + + // Set safe update flag: when set via CLI it force-enables safe update enforcement + // independently of the workflow's strict mode setting. + compiler.SetSafeUpdate(config.SafeUpdate) + if config.SafeUpdate { + compileCompilerSetupLog.Print("Safe update mode force-enabled via --safe-update flag: compilations introducing new restricted secrets or unapproved action additions/removals will emit a warning prompt requesting agent review and a PR security note") + } + + // Load pre-cached manifests from file (written by MCP server at startup). + // These take precedence over git HEAD / filesystem reads for safe update enforcement. + if config.PriorManifestFile != "" { + if err := loadPriorManifestFile(compiler, config.PriorManifestFile); err != nil { + compileCompilerSetupLog.Printf("Failed to load prior manifest file %s: %v (safe update will fall back to git HEAD / filesystem)", config.PriorManifestFile, err) + } + } } // setupActionMode configures the action script inlining mode @@ -225,3 +240,38 @@ func setupRepositoryContext(compiler *workflow.Compiler, config CompileConfig) { compileCompilerSetupLog.Print("No repository slug found") } } + +// loadPriorManifestFile reads a JSON file containing pre-cached manifests and +// registers each entry with the compiler. The file must contain a JSON object +// mapping lock-file paths to serialised GHAWManifest objects, as written by +// writePriorManifestFile in the MCP server startup path. +func loadPriorManifestFile(compiler *workflow.Compiler, filePath string) error { + data, err := os.ReadFile(filePath) + if err != nil { + return fmt.Errorf("read prior manifest file: %w", err) + } + + var raw map[string]*json.RawMessage + if err := json.Unmarshal(data, &raw); err != nil { + return fmt.Errorf("unmarshal prior manifest file: %w", err) + } + + manifests := make(map[string]*workflow.GHAWManifest, len(raw)) + for lockFile, msg := range raw { + if msg == nil { + // nil entry means "treat as empty manifest" (new workflow with no prior lock file) + manifests[lockFile] = nil + continue + } + var m workflow.GHAWManifest + if err := json.Unmarshal(*msg, &m); err != nil { + compileCompilerSetupLog.Printf("Skipping malformed manifest for %s: %v", lockFile, err) + continue + } + manifests[lockFile] = &m + } + + compiler.SetPriorManifests(manifests) + compileCompilerSetupLog.Printf("Loaded %d pre-cached manifest(s) from %s", len(manifests), filePath) + return nil +} diff --git a/pkg/cli/compile_config.go b/pkg/cli/compile_config.go index af119749110..26576bef19c 100644 --- a/pkg/cli/compile_config.go +++ b/pkg/cli/compile_config.go @@ -28,6 +28,8 @@ type CompileConfig struct { Stats bool // Display statistics table sorted by file size FailFast bool // Stop at first error instead of collecting all errors ScheduleSeed string // Override repository slug used for fuzzy schedule scattering (e.g. owner/repo) + SafeUpdate bool // Force-enable safe update mode regardless of strict mode setting. Safe update mode is normally equivalent to strict mode (active whenever strict mode is active). + PriorManifestFile string // Path to a JSON file containing pre-cached manifests (map[lockFile]*GHAWManifest) collected at MCP server startup; takes precedence over git HEAD / filesystem reads for safe update enforcement } // WorkflowFailure represents a failed workflow with its error count diff --git a/pkg/cli/compile_pipeline.go b/pkg/cli/compile_pipeline.go index 22f7c3d9463..49e9e8a3d34 100644 --- a/pkg/cli/compile_pipeline.go +++ b/pkg/cli/compile_pipeline.go @@ -164,6 +164,9 @@ func compileSpecificFiles( // Display schedule warnings displayScheduleWarnings(compiler, config.JSONOutput) + // Display safe update warnings (emitted as prompts for the calling agent) + displaySafeUpdateWarnings(compiler, config.JSONOutput) + // Post-processing if err := runPostProcessing(compiler, workflowDataList, config, compiledCount); err != nil { return workflowDataList, err @@ -317,6 +320,9 @@ func compileAllFilesInDirectory( // Display schedule warnings displayScheduleWarnings(compiler, config.JSONOutput) + // Display safe update warnings (emitted as prompts for the calling agent) + displaySafeUpdateWarnings(compiler, config.JSONOutput) + if config.Verbose { fmt.Fprintln(os.Stderr, console.FormatSuccessMessage(fmt.Sprintf("Successfully compiled %d out of %d workflow files", successCount, len(mdFiles)))) } @@ -394,6 +400,20 @@ func displayScheduleWarnings(compiler *workflow.Compiler, jsonOutput bool) { } } +// displaySafeUpdateWarnings displays any safe update warning prompts accumulated by the +// compiler. Each entry is a structured message that instructs the calling agent to: +// - Review new secrets/actions for malicious use +// - Add a security review note to the pull request description +func displaySafeUpdateWarnings(compiler *workflow.Compiler, jsonOutput bool) { + warnings := compiler.GetSafeUpdateWarnings() + if len(warnings) == 0 || jsonOutput { + return + } + for _, w := range warnings { + fmt.Fprintln(os.Stderr, console.FormatWarningMessage(w)) + } +} + // runPostProcessing runs post-processing for specific files compilation func runPostProcessing( compiler *workflow.Compiler, diff --git a/pkg/cli/compile_safe_update_integration_test.go b/pkg/cli/compile_safe_update_integration_test.go new file mode 100644 index 00000000000..00f4b980b6f --- /dev/null +++ b/pkg/cli/compile_safe_update_integration_test.go @@ -0,0 +1,560 @@ +//go:build integration + +package cli + +import ( + "fmt" + "os" + "os/exec" + "path/filepath" + "strings" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +// safeUpdateWorkflowWithSecret is a minimal workflow that includes a custom job +// with a non-GITHUB_TOKEN secret in its environment. The secret reference will +// appear in the compiled YAML body and be detected by CollectSecretReferences. +const safeUpdateWorkflowWithSecret = `--- +name: Safe Update Secret Test +on: + workflow_dispatch: +permissions: + contents: read +engine: copilot +jobs: + secret-job: + runs-on: ubuntu-latest + needs: [activation] + env: + MY_API_SECRET: ${{ secrets.MY_API_SECRET }} + steps: + - run: echo "hello" +--- + +# Safe Update Secret Test + +Test workflow that uses a custom secret in a custom job. +` + +// safeUpdateWorkflowWithCustomAction is a minimal workflow that includes a custom +// job using a non-actions/* action reference. The uses: line will appear in the +// compiled YAML body and be detected by CollectActionReferences. +const safeUpdateWorkflowWithCustomAction = `--- +name: Safe Update Action Test +on: + workflow_dispatch: +permissions: + contents: read +engine: copilot +jobs: + action-job: + runs-on: ubuntu-latest + needs: [activation] + steps: + - uses: my-org/custom-action@v1 +--- + +# Safe Update Action Test + +Test workflow that uses a custom action in a custom job. +` + +// safeUpdateWorkflowBasic is a minimal workflow that uses only GITHUB_TOKEN and +// actions/* actions. Safe update mode should allow it on a first compile. +const safeUpdateWorkflowBasic = `--- +name: Safe Update Basic Test +on: + workflow_dispatch: +permissions: + contents: read +engine: copilot +--- + +# Safe Update Basic Test + +Test workflow that uses only GITHUB_TOKEN. +` + +// manifestWithAPISecret is a minimal lock file content containing a gh-aw-manifest +// that pre-approves MY_API_SECRET. Writing this to the lock file path +// before compilation simulates a workflow that was previously compiled and approved. +func manifestLockFileWithSecret(secretName string) string { + return fmt.Sprintf( + "# gh-aw-metadata: {\"schema_version\":\"v3\",\"frontmatter_hash\":\"abc\",\"agent_id\":\"copilot\"}\n"+ + "# gh-aw-manifest: {\"version\":1,\"secrets\":[\"%s\",\"GITHUB_TOKEN\"],\"actions\":[]}\n"+ + "name: placeholder\n", + secretName, + ) +} + +// TestSafeUpdateWarnOnNewSecretOnFirstCompile verifies that --safe-update emits a +// warning (not an error) when a first compilation introduces a non-GITHUB_TOKEN +// secret and no prior manifest exists. The compilation must succeed and the lock +// file must be written so that the agent receives the actionable warning. +func TestSafeUpdateWarnsOnNewSecretOnFirstCompile(t *testing.T) { + setup := setupIntegrationTest(t) + defer setup.cleanup() + + workflowPath := filepath.Join(setup.workflowsDir, "safe-update-secret.md") + require.NoError(t, os.WriteFile(workflowPath, []byte(safeUpdateWorkflowWithSecret), 0o644), + "should write workflow file") + + cmd := exec.Command(setup.binaryPath, "compile", workflowPath, "--safe-update") + cmd.Env = append(os.Environ(), "GH_AW_ACTION_MODE=release") + output, err := cmd.CombinedOutput() + outputStr := string(output) + + // Compilation must succeed (warning, not error) + assert.NoError(t, err, "compile should succeed in safe update mode (violation emits warning, not error)\nOutput:\n%s", outputStr) + // Warning must reference the violation and request a security review + assert.Contains(t, outputStr, "safe update mode", "output should mention safe update mode") + assert.Contains(t, outputStr, "MY_API_SECRET", "warning should name the offending secret") + assert.Contains(t, outputStr, "SECURITY REVIEW REQUIRED", "warning should request a security review") + // Lock file must still be written + lockFilePath := filepath.Join(setup.workflowsDir, "safe-update-secret.lock.yml") + _, statErr := os.Stat(lockFilePath) + assert.NoError(t, statErr, "lock file should be written even when a safe-update warning is emitted") + t.Logf("Safe update correctly emitted warning for new secret.\nOutput:\n%s", outputStr) +} + +// TestSafeUpdateWarnOnNewCustomActionOnFirstCompile verifies that --safe-update emits +// a warning (not an error) when a first compilation introduces a non-actions/* action +// reference and no prior manifest exists. Compilation must succeed. +func TestSafeUpdateWarnsOnNewCustomActionOnFirstCompile(t *testing.T) { + setup := setupIntegrationTest(t) + defer setup.cleanup() + + workflowPath := filepath.Join(setup.workflowsDir, "safe-update-action.md") + require.NoError(t, os.WriteFile(workflowPath, []byte(safeUpdateWorkflowWithCustomAction), 0o644), + "should write workflow file") + + cmd := exec.Command(setup.binaryPath, "compile", workflowPath, "--safe-update") + cmd.Env = append(os.Environ(), "GH_AW_ACTION_MODE=release") + output, err := cmd.CombinedOutput() + outputStr := string(output) + + // Compilation must succeed (warning, not error) + assert.NoError(t, err, "compile should succeed in safe update mode (violation emits warning, not error)\nOutput:\n%s", outputStr) + // Warning must reference the violation and request a security review + assert.Contains(t, outputStr, "safe update mode", "output should mention safe update mode") + assert.Contains(t, outputStr, "my-org/custom-action", "warning should name the offending action") + assert.Contains(t, outputStr, "SECURITY REVIEW REQUIRED", "warning should request a security review") + // Lock file must still be written + lockFilePath := filepath.Join(setup.workflowsDir, "safe-update-action.lock.yml") + _, statErr := os.Stat(lockFilePath) + assert.NoError(t, statErr, "lock file should be written even when a safe-update warning is emitted") + t.Logf("Safe update correctly emitted warning for new custom action.\nOutput:\n%s", outputStr) +} + +// TestSafeUpdateAllowsKnownSecretWithPriorManifest verifies that --safe-update +// allows a compilation when the secret is already recorded in the prior manifest +// embedded in the existing lock file. +// +// The test uses a two-step approach: first compile without --safe-update to produce +// a complete lock file with the full manifest (including engine-internal secrets and +// actions), then compile again with --safe-update. Since nothing changed between the +// two compilations, no new secrets or actions are introduced and the second compile +// must succeed. +func TestSafeUpdateAllowsKnownSecretWithPriorManifest(t *testing.T) { + setup := setupIntegrationTest(t) + defer setup.cleanup() + + workflowPath := filepath.Join(setup.workflowsDir, "safe-update-known-secret.md") + require.NoError(t, os.WriteFile(workflowPath, []byte(safeUpdateWorkflowWithSecret), 0o644), + "should write workflow file") + + // Step 1: Compile without --safe-update to generate the full lock file + manifest. + // (Engine-internal secrets such as COPILOT_GITHUB_TOKEN are also captured here.) + step1Cmd := exec.Command(setup.binaryPath, "compile", workflowPath) + step1Cmd.Env = append(os.Environ(), "GH_AW_ACTION_MODE=release") + step1Out, step1Err := step1Cmd.CombinedOutput() + require.NoError(t, step1Err, + "first compilation (no --safe-update) should succeed\nOutput:\n%s", string(step1Out)) + + lockFilePath := filepath.Join(setup.workflowsDir, "safe-update-known-secret.lock.yml") + lockContent, readErr := os.ReadFile(lockFilePath) + require.NoError(t, readErr, "should read lock file after first compile") + require.Contains(t, string(lockContent), "MY_API_SECRET", + "lock file manifest should include MY_API_SECRET after first compile") + + // Step 2: Compile the identical workflow with --safe-update. The lock file from + // step 1 acts as the prior manifest. Nothing changed, so this must succeed. + step2Cmd := exec.Command(setup.binaryPath, "compile", workflowPath, "--safe-update") + step2Cmd.Env = append(os.Environ(), "GH_AW_ACTION_MODE=release") + output, err := step2Cmd.CombinedOutput() + outputStr := string(output) + + assert.NoError(t, err, "compile should succeed when the secret is in the prior manifest\nOutput:\n%s", outputStr) + t.Logf("Safe update correctly allowed known secret.\nOutput:\n%s", outputStr) +} + +// TestSafeUpdateAllowsGitHubTokenOnFirstCompile verifies that --safe-update allows +// a compilation that introduces no new non-GITHUB_TOKEN secrets compared to a +// previously recorded manifest. +// +// Uses a two-step approach: step 1 compiles without --safe-update to record the +// baseline manifest (which includes engine-internal secrets in release mode); step 2 +// recompiles the same workflow with --safe-update and expects success because the +// manifest is unchanged. +func TestSafeUpdateAllowsGitHubTokenOnFirstCompile(t *testing.T) { + setup := setupIntegrationTest(t) + defer setup.cleanup() + + workflowPath := filepath.Join(setup.workflowsDir, "safe-update-basic.md") + require.NoError(t, os.WriteFile(workflowPath, []byte(safeUpdateWorkflowBasic), 0o644), + "should write workflow file") + + // Step 1: Establish the baseline manifest with a normal compile. + step1Cmd := exec.Command(setup.binaryPath, "compile", workflowPath) + step1Cmd.Env = append(os.Environ(), "GH_AW_ACTION_MODE=release") + step1Out, step1Err := step1Cmd.CombinedOutput() + require.NoError(t, step1Err, + "first compilation (no --safe-update) should succeed\nOutput:\n%s", string(step1Out)) + + lockFilePath := filepath.Join(setup.workflowsDir, "safe-update-basic.lock.yml") + lockContent, readErr := os.ReadFile(lockFilePath) + require.NoError(t, readErr, "should read lock file after first compile") + require.Contains(t, string(lockContent), "gh-aw-manifest:", + "lock file should contain a gh-aw-manifest header after first compile") + + // Step 2: Re-compile with --safe-update. No secrets were added so this must succeed. + step2Cmd := exec.Command(setup.binaryPath, "compile", workflowPath, "--safe-update") + step2Cmd.Env = append(os.Environ(), "GH_AW_ACTION_MODE=release") + output, err := step2Cmd.CombinedOutput() + outputStr := string(output) + + assert.NoError(t, err, "compile should succeed when no new secrets are introduced\nOutput:\n%s", outputStr) + + // Verify the manifest is still present in the (re-)generated lock file. + updatedLock, readErr2 := os.ReadFile(lockFilePath) + require.NoError(t, readErr2, "should read updated lock file") + assert.Contains(t, string(updatedLock), "gh-aw-manifest:", "lock file should still contain a gh-aw-manifest header") + assert.NotContains(t, string(updatedLock), "MY_API_SECRET", "lock file manifest should not contain unapproved secrets") + t.Logf("Safe update correctly allowed GITHUB_TOKEN-only workflow.\nOutput:\n%s", outputStr) +} + +// safeUpdateWorkflowNonStrict is a minimal workflow that explicitly opts out of +// strict mode. Because safe update mode == strict mode, setting strict: false +// also disables safe update enforcement, letting new secrets compile freely. +const safeUpdateWorkflowNonStrict = `--- +name: Non Strict Workflow +on: + workflow_dispatch: +permissions: + contents: read +engine: copilot +strict: false +jobs: + secret-job: + runs-on: ubuntu-latest + needs: [activation] + env: + MY_API_SECRET: ${{ secrets.MY_API_SECRET }} + steps: + - run: echo "hello" +--- + +# Non Strict Workflow + +Workflow with strict: false, which also disables safe update enforcement. +` + +// TestSafeUpdateNoFlagAllowsNewSecret verifies that when strict mode is disabled +// (strict: false in frontmatter) safe update enforcement is also disabled — new +// secrets compile without any safe-update warning. +func TestSafeUpdateNoFlagAllowsNewSecret(t *testing.T) { + setup := setupIntegrationTest(t) + defer setup.cleanup() + + workflowPath := filepath.Join(setup.workflowsDir, "no-safe-update.md") + require.NoError(t, os.WriteFile(workflowPath, []byte(safeUpdateWorkflowNonStrict), 0o644), + "should write workflow file") + + // strict: false in frontmatter disables strict mode and therefore safe update mode. + cmd := exec.Command(setup.binaryPath, "compile", workflowPath) + cmd.Env = append(os.Environ(), "GH_AW_ACTION_MODE=release") + output, err := cmd.CombinedOutput() + outputStr := string(output) + + assert.NoError(t, err, "compile with strict: false should succeed without safe update warning\nOutput:\n%s", outputStr) + assert.False(t, strings.Contains(outputStr, "safe update mode"), + "output should not mention safe update mode when strict mode is disabled") + t.Logf("Compilation without safe update enforcement succeeded as expected.\nOutput:\n%s", outputStr) +} + +// --- Transitive import tests ------------------------------------------------- +// +// The following tests verify that the gh-aw-manifest embedded in a compiled +// lock file captures the *transitive closure* of all secrets and actions +// referenced by the workflow, including those introduced by imported shared +// workflow files. + +// safeUpdateSharedMCPConfig is a shared workflow file that declares an MCP +// server whose env references a non-GITHUB_TOKEN secret. It is imported by +// safeUpdateWorkflowWithImport below. +const safeUpdateSharedMCPConfig = `--- +mcp-servers: + shared-mcp: + container: "mcp/shared" + env: + SHARED_API_KEY: "${{ secrets.SHARED_API_KEY }}" + allowed: + - "shared_op" +--- +` + +// safeUpdateWorkflowWithImport is a workflow that imports safeUpdateSharedMCPConfig. +// After compilation the manifest should include SHARED_API_KEY even though +// the secret is declared in the imported file, not the top-level workflow. +const safeUpdateWorkflowWithImport = `--- +name: Safe Update Import Test +on: + workflow_dispatch: +permissions: + contents: read +engine: copilot +imports: + - shared/shared-mcp.md +--- + +# Safe Update Import Test + +Test workflow that imports a shared config containing a secret. +` + +// safeUpdateSharedLevel2Config is a second-level shared workflow that itself +// imports safeUpdateSharedLevel3Config. This is used to verify 3-level +// transitive import chains. +const safeUpdateSharedLevel2Config = `--- +imports: + - shared/level3.md +--- +` + +// safeUpdateSharedLevel3Config is a third-level shared workflow that declares +// an MCP server env with a deeply nested secret. +const safeUpdateSharedLevel3Config = `--- +mcp-servers: + deep-mcp: + container: "mcp/deep" + env: + DEEP_NESTED_SECRET: "${{ secrets.DEEP_NESTED_SECRET }}" + allowed: + - "deep_op" +--- +` + +// safeUpdateWorkflowWithTransitiveImport is a workflow that imports level2, +// which imports level3. The manifest must include DEEP_NESTED_SECRET. +const safeUpdateWorkflowWithTransitiveImport = `--- +name: Safe Update Transitive Import Test +on: + workflow_dispatch: +permissions: + contents: read +engine: copilot +imports: + - shared/level2.md +--- + +# Safe Update Transitive Import Test + +Test workflow that uses a 3-level transitive import chain. +` + +// writeSharedImportFiles is a helper that creates the shared/ directory and +// writes the shared import files for import-related integration tests. +func writeSharedImportFiles(t *testing.T, workflowsDir string) { + t.Helper() + sharedDir := filepath.Join(workflowsDir, "shared") + require.NoError(t, os.MkdirAll(sharedDir, 0o755), "should create shared dir") + require.NoError(t, + os.WriteFile(filepath.Join(sharedDir, "shared-mcp.md"), []byte(safeUpdateSharedMCPConfig), 0o644), + "should write shared MCP config") + require.NoError(t, + os.WriteFile(filepath.Join(sharedDir, "level2.md"), []byte(safeUpdateSharedLevel2Config), 0o644), + "should write level-2 shared config") + require.NoError(t, + os.WriteFile(filepath.Join(sharedDir, "level3.md"), []byte(safeUpdateSharedLevel3Config), 0o644), + "should write level-3 shared config") +} + +// TestSafeUpdateManifestIncludesImportedSecret verifies that compiling a +// workflow that imports a shared config containing a secret embeds that secret +// in the gh-aw-manifest of the generated lock file. +func TestSafeUpdateManifestIncludesImportedSecret(t *testing.T) { + setup := setupIntegrationTest(t) + defer setup.cleanup() + + writeSharedImportFiles(t, setup.workflowsDir) + + workflowPath := filepath.Join(setup.workflowsDir, "import-secret.md") + require.NoError(t, os.WriteFile(workflowPath, []byte(safeUpdateWorkflowWithImport), 0o644), + "should write workflow file") + + // Compile without --safe-update so we can inspect the manifest freely. + cmd := exec.Command(setup.binaryPath, "compile", workflowPath) + cmd.Env = append(os.Environ(), "GH_AW_ACTION_MODE=release") + output, err := cmd.CombinedOutput() + outputStr := string(output) + + require.NoError(t, err, "compilation should succeed\nOutput:\n%s", outputStr) + + lockPath := filepath.Join(setup.workflowsDir, "import-secret.lock.yml") + lockContent, readErr := os.ReadFile(lockPath) + require.NoError(t, readErr, "should read lock file") + + assert.Contains(t, string(lockContent), "SHARED_API_KEY", + "manifest should include the secret from the imported shared config") + lines := strings.Split(string(lockContent), "\n") + if len(lines) > 1 { + t.Logf("Manifest correctly includes imported secret.\nLock file header:\n%s", lines[1]) + } +} + +// TestSafeUpdateRejectsNewSecretFromImport verifies that --safe-update emits a warning +// when the new secret is introduced via an imported workflow rather than directly in +// the top-level workflow frontmatter. Compilation must still succeed. +func TestSafeUpdateWarnsOnNewSecretFromImport(t *testing.T) { + setup := setupIntegrationTest(t) + defer setup.cleanup() + + writeSharedImportFiles(t, setup.workflowsDir) + + workflowPath := filepath.Join(setup.workflowsDir, "import-safe-update.md") + require.NoError(t, os.WriteFile(workflowPath, []byte(safeUpdateWorkflowWithImport), 0o644), + "should write workflow file") + + // No prior lock file — safe update treats this as an empty manifest. + cmd := exec.Command(setup.binaryPath, "compile", workflowPath, "--safe-update") + cmd.Env = append(os.Environ(), "GH_AW_ACTION_MODE=release") + output, err := cmd.CombinedOutput() + outputStr := string(output) + + // Compilation must succeed (warning, not error) + assert.NoError(t, err, + "compile should succeed (violation emits warning, not error) when import introduces a new secret under --safe-update\nOutput:\n%s", outputStr) + assert.Contains(t, outputStr, "safe update mode", + "warning should mention safe update mode") + assert.Contains(t, outputStr, "SHARED_API_KEY", + "warning should name the secret that came from the import") + assert.Contains(t, outputStr, "SECURITY REVIEW REQUIRED", + "warning should request a security review") + t.Logf("Safe update correctly warned about secret introduced via import.\nOutput:\n%s", outputStr) +} + +// TestSafeUpdateAllowsImportedSecretWithPriorManifest verifies that --safe-update +// allows compilation when the secret introduced by an import is already recorded +// in the prior lock file's gh-aw-manifest. +// +// The test uses a two-step approach to avoid hard-coding the full set of +// engine-required secrets in the prior manifest: +// 1. Compile without --safe-update to produce a lock file with the full manifest. +// 2. Compile again with --safe-update; the existing lock file (from step 1) acts as +// the prior manifest and the compilation should succeed since no new +// secrets or actions are being introduced. +func TestSafeUpdateAllowsImportedSecretWithPriorManifest(t *testing.T) { + setup := setupIntegrationTest(t) + defer setup.cleanup() + + writeSharedImportFiles(t, setup.workflowsDir) + + workflowPath := filepath.Join(setup.workflowsDir, "import-approved.md") + require.NoError(t, os.WriteFile(workflowPath, []byte(safeUpdateWorkflowWithImport), 0o644), + "should write workflow file") + + // Step 1: Compile without --safe-update to generate the lock file + manifest. + step1Cmd := exec.Command(setup.binaryPath, "compile", workflowPath) + step1Cmd.Env = append(os.Environ(), "GH_AW_ACTION_MODE=release") + step1Out, step1Err := step1Cmd.CombinedOutput() + require.NoError(t, step1Err, + "first compilation (no --safe-update) should succeed\nOutput:\n%s", string(step1Out)) + + // Verify the lock file was created and contains the manifest. + lockPath := filepath.Join(setup.workflowsDir, "import-approved.lock.yml") + lockContent, readErr := os.ReadFile(lockPath) + require.NoError(t, readErr, "should read lock file after first compile") + require.Contains(t, string(lockContent), "SHARED_API_KEY", + "lock file manifest should include the imported secret after first compile") + + // Step 2: Compile again with --safe-update. The lock file from step 1 serves + // as the prior manifest. No new secrets or actions are introduced so this must succeed. + step2Cmd := exec.Command(setup.binaryPath, "compile", workflowPath, "--safe-update") + step2Cmd.Env = append(os.Environ(), "GH_AW_ACTION_MODE=release") + step2Out, step2Err := step2Cmd.CombinedOutput() + outputStr := string(step2Out) + + assert.NoError(t, step2Err, + "second compilation (with --safe-update) should succeed when imported secret is already in the manifest\nOutput:\n%s", outputStr) + t.Logf("Safe update correctly allowed pre-approved imported secret.\nOutput:\n%s", outputStr) +} + +// TestSafeUpdateManifestIncludesTransitivelyImportedSecret verifies that the +// gh-aw-manifest includes secrets declared in a *transitively* imported workflow +// (A imports B, B imports C, C declares the secret). This confirms that the +// manifest computation covers the full transitive closure of imports. +func TestSafeUpdateManifestIncludesTransitivelyImportedSecret(t *testing.T) { + setup := setupIntegrationTest(t) + defer setup.cleanup() + + writeSharedImportFiles(t, setup.workflowsDir) + + workflowPath := filepath.Join(setup.workflowsDir, "transitive-import.md") + require.NoError(t, + os.WriteFile(workflowPath, []byte(safeUpdateWorkflowWithTransitiveImport), 0o644), + "should write workflow file") + + // Compile without --safe-update so we can freely inspect the manifest. + cmd := exec.Command(setup.binaryPath, "compile", workflowPath) + cmd.Env = append(os.Environ(), "GH_AW_ACTION_MODE=release") + output, err := cmd.CombinedOutput() + outputStr := string(output) + + require.NoError(t, err, "compilation should succeed\nOutput:\n%s", outputStr) + + lockPath := filepath.Join(setup.workflowsDir, "transitive-import.lock.yml") + lockContent, readErr := os.ReadFile(lockPath) + require.NoError(t, readErr, "should read lock file") + + assert.Contains(t, string(lockContent), "DEEP_NESTED_SECRET", + "manifest should include the secret from the transitively imported (level-3) shared config") + lines := strings.Split(string(lockContent), "\n") + if len(lines) > 1 { + t.Logf("Manifest correctly includes transitively imported secret.\nLock file header:\n%s", lines[1]) + } +} + +// TestSafeUpdateRejectsTransitivelyImportedSecretOnFirstCompile verifies that +// --safe-update emits a warning when the new secret is introduced via a transitive +// import (A imports B, B imports C, C declares the secret). Compilation must succeed. +func TestSafeUpdateWarnsOnTransitivelyImportedSecretOnFirstCompile(t *testing.T) { + setup := setupIntegrationTest(t) + defer setup.cleanup() + + writeSharedImportFiles(t, setup.workflowsDir) + + workflowPath := filepath.Join(setup.workflowsDir, "transitive-safe-update.md") + require.NoError(t, + os.WriteFile(workflowPath, []byte(safeUpdateWorkflowWithTransitiveImport), 0o644), + "should write workflow file") + + // No prior lock file — safe update treats this as an empty manifest. + cmd := exec.Command(setup.binaryPath, "compile", workflowPath, "--safe-update") + cmd.Env = append(os.Environ(), "GH_AW_ACTION_MODE=release") + output, err := cmd.CombinedOutput() + outputStr := string(output) + + // Compilation must succeed (warning, not error) + assert.NoError(t, err, + "compile should succeed (violation emits warning, not error) when a transitive import introduces a new secret under --safe-update\nOutput:\n%s", outputStr) + assert.Contains(t, outputStr, "safe update mode", + "warning should mention safe update mode") + assert.Contains(t, outputStr, "DEEP_NESTED_SECRET", + "warning should name the secret that came from the transitive import") + assert.Contains(t, outputStr, "SECURITY REVIEW REQUIRED", + "warning should request a security review") + t.Logf("Safe update correctly warned about secret from transitive import.\nOutput:\n%s", outputStr) +} diff --git a/pkg/cli/mcp_safe_update_cache.go b/pkg/cli/mcp_safe_update_cache.go new file mode 100644 index 00000000000..856830bb489 --- /dev/null +++ b/pkg/cli/mcp_safe_update_cache.go @@ -0,0 +1,79 @@ +package cli + +import ( + "encoding/json" + "fmt" + "os" + "path/filepath" + + "github.com/github/gh-aw/pkg/workflow" +) + +// CollectLockFileManifests scans all *.lock.yml files in workflowsDir (defaults to +// ".github/workflows") and extracts their gh-aw-manifest headers. The returned map +// is keyed by the lock-file path exactly as produced by the compiler so that lookups +// in the compiler's priorManifests map always match. +// +// This function must be called at MCP server startup, before any agent interaction, +// so that the returned manifests cannot be tampered with by the agent. +func CollectLockFileManifests(workflowsDir string) map[string]*workflow.GHAWManifest { + if workflowsDir == "" { + workflowsDir = ".github/workflows" + } + + result := make(map[string]*workflow.GHAWManifest) + + pattern := filepath.Join(workflowsDir, "*.lock.yml") + lockFiles, err := filepath.Glob(pattern) + if err != nil { + mcpLog.Printf("Failed to glob lock files in %s: %v", workflowsDir, err) + return result + } + + for _, lockFile := range lockFiles { + content, err := os.ReadFile(lockFile) + if err != nil { + mcpLog.Printf("Failed to read lock file %s: %v", lockFile, err) + continue + } + + manifest, err := workflow.ExtractGHAWManifestFromLockFile(string(content)) + if err != nil { + mcpLog.Printf("Failed to extract manifest from %s: %v", lockFile, err) + continue + } + + // Store with the same path key the compiler will use (filepath.Clean of the lock file path). + result[filepath.Clean(lockFile)] = manifest + if manifest != nil { + mcpLog.Printf("Cached manifest for %s: %d secret(s), %d action(s)", lockFile, len(manifest.Secrets), len(manifest.Actions)) + } else { + mcpLog.Printf("Cached nil manifest for %s (no gh-aw-manifest header)", lockFile) + } + } + + mcpLog.Printf("Pre-cached %d lock-file manifest(s) at startup", len(result)) + return result +} + +// WritePriorManifestFile serialises the manifest cache to a temporary JSON file and +// returns its path. The caller is responsible for removing the file when done. +func WritePriorManifestFile(cache map[string]*workflow.GHAWManifest) (string, error) { + data, err := json.Marshal(cache) + if err != nil { + return "", fmt.Errorf("marshal manifest cache: %w", err) + } + + f, err := os.CreateTemp("", "gh-aw-manifest-cache-*.json") + if err != nil { + return "", fmt.Errorf("create manifest cache file: %w", err) + } + defer f.Close() + + if _, err := f.Write(data); err != nil { + _ = os.Remove(f.Name()) + return "", fmt.Errorf("write manifest cache file: %w", err) + } + + return f.Name(), nil +} diff --git a/pkg/cli/mcp_server.go b/pkg/cli/mcp_server.go index 9d6a071f147..3126c1b7313 100644 --- a/pkg/cli/mcp_server.go +++ b/pkg/cli/mcp_server.go @@ -13,7 +13,7 @@ import ( type execCmdFunc func(ctx context.Context, args ...string) *exec.Cmd // createMCPServer creates and configures the MCP server with all tools -func createMCPServer(cmdPath string, actor string, validateActor bool) *mcp.Server { +func createMCPServer(cmdPath string, actor string, validateActor bool, manifestCacheFile string) *mcp.Server { // Helper function to execute command with proper path execCmd := func(ctx context.Context, args ...string) *exec.Cmd { if cmdPath != "" { @@ -56,7 +56,7 @@ func createMCPServer(cmdPath string, actor string, validateActor bool) *mcp.Serv // Register read-only tools registerStatusTool(server) - if err := registerCompileTool(server, execCmd); err != nil { + if err := registerCompileTool(server, execCmd, manifestCacheFile); err != nil { return server } diff --git a/pkg/cli/mcp_server_command.go b/pkg/cli/mcp_server_command.go index a8c44f09288..9ff133b1749 100644 --- a/pkg/cli/mcp_server_command.go +++ b/pkg/cli/mcp_server_command.go @@ -153,8 +153,30 @@ func runMCPServer(port int, cmdPath string, validateActor bool) error { fmt.Fprintln(os.Stderr, console.FormatWarningMessage(fmt.Sprintf("Configuration validation warning: %v", err))) } + // Pre-cache lock-file manifests at startup, before any agent can modify the working tree. + // The cache is serialised to a temp file so that each compile subprocess invocation + // can reference it via --prior-manifest-file. + manifestCacheFile := "" + manifestCache := CollectLockFileManifests("") + if len(manifestCache) > 0 { + cacheFile, err := WritePriorManifestFile(manifestCache) + if err != nil { + mcpLog.Printf("Failed to write manifest cache file: %v (safe update will fall back to git HEAD / filesystem)", err) + } else { + manifestCacheFile = cacheFile + mcpLog.Printf("Manifest cache written to %s (%d entries)", cacheFile, len(manifestCache)) + fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("Pre-cached %d workflow manifest(s) for safe update enforcement", len(manifestCache)))) + // Clean up the temp file when the server exits + defer func() { + if removeErr := os.Remove(cacheFile); removeErr != nil && !os.IsNotExist(removeErr) { + mcpLog.Printf("Failed to remove manifest cache file %s: %v", cacheFile, removeErr) + } + }() + } + } + // Create the server configuration - server := createMCPServer(cmdPath, actor, validateActor) + server := createMCPServer(cmdPath, actor, validateActor, manifestCacheFile) if port > 0 { // Run HTTP server with SSE transport diff --git a/pkg/cli/mcp_tools_readonly.go b/pkg/cli/mcp_tools_readonly.go index c7b0f46b194..0385ac2febe 100644 --- a/pkg/cli/mcp_tools_readonly.go +++ b/pkg/cli/mcp_tools_readonly.go @@ -69,8 +69,12 @@ Returns a JSON array where each element has the following structure: } // registerCompileTool registers the compile tool with the MCP server. +// manifestCacheFile is the path to a temp JSON file containing pre-cached gh-aw-manifests +// collected at server startup; it is passed to each compile subprocess via +// --prior-manifest-file so the compiler uses tamper-proof manifests for safe update +// enforcement. An empty string disables this feature. // Returns an error if schema generation fails, which causes the server to stop registering tools. -func registerCompileTool(server *mcp.Server, execCmd execCmdFunc) error { +func registerCompileTool(server *mcp.Server, execCmd execCmdFunc, manifestCacheFile string) error { type compileArgs struct { Workflows []string `json:"workflows,omitempty" jsonschema:"Workflow files to compile (empty for all)"` Strict bool `json:"strict,omitempty" jsonschema:"Override frontmatter to enforce strict mode validation for all workflows. Note: Workflows default to strict mode unless frontmatter sets strict: false"` @@ -177,6 +181,12 @@ Returns JSON array with validation results for each workflow: cmdArgs = append(cmdArgs, args.Workflows...) + // Pass the pre-cached manifest file when available so the compiler uses + // the tamper-proof manifest baseline captured at server startup. + if manifestCacheFile != "" { + cmdArgs = append(cmdArgs, "--prior-manifest-file", manifestCacheFile) + } + mcpLog.Printf("Executing compile tool: workflows=%v, strict=%v, fix=%v, zizmor=%v, poutine=%v, actionlint=%v", args.Workflows, args.Strict, args.Fix, args.Zizmor, args.Poutine, args.Actionlint) diff --git a/pkg/gitutil/gitutil.go b/pkg/gitutil/gitutil.go index 77db8309d71..0151e1a26e8 100644 --- a/pkg/gitutil/gitutil.go +++ b/pkg/gitutil/gitutil.go @@ -3,6 +3,7 @@ package gitutil import ( "fmt" "os/exec" + "path/filepath" "strings" "github.com/github/gh-aw/pkg/logger" @@ -79,3 +80,51 @@ func FindGitRoot() (string, error) { log.Printf("Found git root: %s", gitRoot) return gitRoot, nil } + +// ReadFileFromHEAD returns the content of filePath as recorded in the most recent +// git commit (HEAD). This is used in safe update mode so that the manifest baseline +// comes from the committed version of the lock file, not from the working-tree copy, +// preventing a local agent from tampering with the file to bypass enforcement. +// +// filePath may be absolute or relative; it is resolved to an absolute path before +// computing its path relative to the git root. +// +// Returns an error when: +// - the current directory is not inside a git repository +// - the file does not exist in HEAD (e.g. it has never been committed) +// - the git command fails for another reason +func ReadFileFromHEAD(filePath string) (string, error) { + gitRoot, err := FindGitRoot() + if err != nil { + return "", fmt.Errorf("cannot read %q from git HEAD: %w", filePath, err) + } + + absPath, err := filepath.Abs(filePath) + if err != nil { + return "", fmt.Errorf("cannot resolve absolute path for %q: %w", filePath, err) + } + + // git show requires the path to be relative to the repository root and to use + // forward slashes even on Windows. + relPath, err := filepath.Rel(gitRoot, absPath) + if err != nil { + return "", fmt.Errorf("cannot compute path of %q relative to git root %q: %w", absPath, gitRoot, err) + } + + // Reject paths that escape the repository (e.g. "../secret"). + if strings.HasPrefix(relPath, "..") { + return "", fmt.Errorf("path %q is outside the git repository root %q", filePath, gitRoot) + } + + relPath = filepath.ToSlash(relPath) + + log.Printf("Reading %q from git HEAD (relative path: %s)", filePath, relPath) + + cmd := exec.Command("git", "show", "HEAD:"+relPath) + output, err := cmd.Output() + if err != nil { + log.Printf("File %q not found in HEAD commit: %v", filePath, err) + return "", fmt.Errorf("file %q not found in HEAD commit: %w", filePath, err) + } + return string(output), nil +} diff --git a/pkg/gitutil/gitutil_test.go b/pkg/gitutil/gitutil_test.go index f3a22c5a0fb..ad037b799d0 100644 --- a/pkg/gitutil/gitutil_test.go +++ b/pkg/gitutil/gitutil_test.go @@ -3,6 +3,7 @@ package gitutil import ( + "path/filepath" "testing" "github.com/stretchr/testify/assert" @@ -250,3 +251,21 @@ func TestFindGitRoot(t *testing.T) { assert.NotEmpty(t, gitRoot, "FindGitRoot should return a non-empty path") }) } + +func TestReadFileFromHEAD(t *testing.T) { + t.Run("reads a committed file successfully", func(t *testing.T) { + // go.mod is always committed at the repo root, so it should be readable from HEAD. + gitRoot, err := FindGitRoot() + require.NoError(t, err, "must be inside a git repository") + + content, err := ReadFileFromHEAD(filepath.Join(gitRoot, "go.mod")) + require.NoError(t, err, "go.mod should be readable from HEAD") + assert.NotEmpty(t, content, "go.mod content should not be empty") + assert.Contains(t, content, "module ", "go.mod should contain a module declaration") + }) + + t.Run("returns error for file not in HEAD", func(t *testing.T) { + _, err := ReadFileFromHEAD("/nonexistent/path/that/is/not/in/git/repo/file.yml") + assert.Error(t, err, "should fail for a file not tracked by git") + }) +} diff --git a/pkg/workflow/compiler.go b/pkg/workflow/compiler.go index 7588b3696d8..9ea890fa281 100644 --- a/pkg/workflow/compiler.go +++ b/pkg/workflow/compiler.go @@ -12,6 +12,7 @@ import ( "time" "github.com/github/gh-aw/pkg/console" + "github.com/github/gh-aw/pkg/gitutil" "github.com/github/gh-aw/pkg/logger" "github.com/github/gh-aw/pkg/stringutil" "go.yaml.in/yaml/v3" @@ -443,11 +444,12 @@ Ensure proper audience validation and trust policies are configured.` // generateAndValidateYAML generates GitHub Actions YAML and validates // the output size and format. -func (c *Compiler) generateAndValidateYAML(workflowData *WorkflowData, markdownPath string, lockFile string) (string, error) { - // Generate the YAML content - yamlContent, err := c.generateYAML(workflowData, markdownPath) +func (c *Compiler) generateAndValidateYAML(workflowData *WorkflowData, markdownPath string, lockFile string) (string, []string, []string, error) { + // Generate the YAML content along with the collected body secrets and action refs + // (returned to avoid a second scan of the full YAML in the caller for safe update enforcement). + yamlContent, bodySecrets, bodyActions, err := c.generateYAML(workflowData, markdownPath) if err != nil { - return "", formatCompilerError(markdownPath, "error", fmt.Sprintf("failed to generate YAML: %v", err), err) + return "", nil, nil, formatCompilerError(markdownPath, "error", fmt.Sprintf("failed to generate YAML: %v", err), err) } // Always validate expression sizes - this is a hard limit from GitHub Actions (21KB) @@ -461,7 +463,7 @@ func (c *Compiler) generateAndValidateYAML(workflowData *WorkflowData, markdownP if writeErr := os.WriteFile(invalidFile, []byte(yamlContent), 0644); writeErr == nil { fmt.Fprintln(os.Stderr, console.FormatWarningMessage("Invalid workflow YAML written to: "+console.ToRelativePath(invalidFile))) } - return "", formattedErr + return "", nil, nil, formattedErr } // Template injection validation and GitHub Actions schema validation both require a @@ -500,7 +502,7 @@ func (c *Compiler) generateAndValidateYAML(workflowData *WorkflowData, markdownP if writeErr := os.WriteFile(invalidFile, []byte(yamlContent), 0644); writeErr == nil { fmt.Fprintln(os.Stderr, console.FormatWarningMessage("Workflow with template injection risks written to: "+console.ToRelativePath(invalidFile))) } - return "", formattedErr + return "", nil, nil, formattedErr } } @@ -533,7 +535,7 @@ func (c *Compiler) generateAndValidateYAML(workflowData *WorkflowData, markdownP if writeErr := os.WriteFile(invalidFile, []byte(yamlContent), 0644); writeErr == nil { fmt.Fprintln(os.Stderr, console.FormatWarningMessage("Invalid workflow YAML written to: "+console.ToRelativePath(invalidFile))) } - return "", formattedErr + return "", nil, nil, formattedErr } // Validate container images used in MCP configurations @@ -548,26 +550,26 @@ func (c *Compiler) generateAndValidateYAML(workflowData *WorkflowData, markdownP // Validate runtime packages (npx, uv) log.Print("Validating runtime packages") if err := c.validateRuntimePackages(workflowData); err != nil { - return "", formatCompilerError(markdownPath, "error", fmt.Sprintf("runtime package validation failed: %v", err), err) + return "", nil, nil, formatCompilerError(markdownPath, "error", fmt.Sprintf("runtime package validation failed: %v", err), err) } // Validate firewall configuration (log-level enum) log.Print("Validating firewall configuration") if err := c.validateFirewallConfig(workflowData); err != nil { - return "", formatCompilerError(markdownPath, "error", fmt.Sprintf("firewall configuration validation failed: %v", err), err) + return "", nil, nil, formatCompilerError(markdownPath, "error", fmt.Sprintf("firewall configuration validation failed: %v", err), err) } // Validate repository features (discussions, issues) log.Print("Validating repository features") if err := c.validateRepositoryFeatures(workflowData); err != nil { - return "", formatCompilerError(markdownPath, "error", fmt.Sprintf("repository feature validation failed: %v", err), err) + return "", nil, nil, formatCompilerError(markdownPath, "error", fmt.Sprintf("repository feature validation failed: %v", err), err) } } else if c.verbose { fmt.Fprintln(os.Stderr, console.FormatWarningMessage("Schema validation available but skipped (use SetSkipValidation(false) to enable)")) c.IncrementWarningCount() } - return yamlContent, nil + return yamlContent, bodySecrets, bodyActions, nil } // writeWorkflowOutput writes the compiled workflow to the lock file @@ -670,6 +672,48 @@ func (c *Compiler) CompileWorkflowData(workflowData *WorkflowData, markdownPath log.Printf("Starting compilation: %s -> %s", markdownPath, lockFile) + // Read the existing lock file to extract the previous gh-aw-manifest for safe update + // enforcement. + // + // Priority (highest to lowest): + // 1. Pre-cached manifest supplied by the caller (e.g. MCP server collected at startup + // before any agent interaction, making it tamper-proof without requiring git access). + // 2. Content from the last git commit (HEAD) – prevents a local agent from modifying + // the .lock.yml file on disk to forge an approved manifest. + // 3. Filesystem read – fallback for first-time compilations or non-git environments. + var oldManifest *GHAWManifest + if cached, ok := c.priorManifests[lockFile]; ok { + oldManifest = cached + secretCount := 0 + if cached != nil { + secretCount = len(cached.Secrets) + } + log.Printf("Using pre-cached gh-aw-manifest for %s: %d secret(s)", lockFile, secretCount) + } else if committedContent, readErr := gitutil.ReadFileFromHEAD(lockFile); readErr == nil { + if m, parseErr := ExtractGHAWManifestFromLockFile(committedContent); parseErr == nil { + oldManifest = m + if oldManifest != nil { + log.Printf("Loaded committed gh-aw-manifest from HEAD: %d secret(s)", len(oldManifest.Secrets)) + } + } else { + log.Printf("Failed to parse committed gh-aw-manifest: %v. Safe update enforcement will proceed without baseline comparison (all secrets will be considered new).", parseErr) + } + } else { + log.Printf("Lock file %s not found in HEAD commit (%v); falling back to filesystem read.", lockFile, readErr) + if existingContent, fsErr := os.ReadFile(lockFile); fsErr == nil { + if m, parseErr := ExtractGHAWManifestFromLockFile(string(existingContent)); parseErr == nil { + oldManifest = m + if oldManifest != nil { + log.Printf("Loaded gh-aw-manifest from filesystem: %d secret(s)", len(oldManifest.Secrets)) + } + } else { + log.Printf("Failed to parse filesystem gh-aw-manifest: %v. Safe update enforcement will treat as empty manifest.", parseErr) + } + } else { + log.Printf("Lock file %s not found on filesystem either (new workflow or not yet written). Safe update enforcement will treat as empty manifest.", lockFile) + } + } + // Validate workflow data if err := c.validateWorkflowData(workflowData, markdownPath); err != nil { return err @@ -681,12 +725,29 @@ func (c *Compiler) CompileWorkflowData(workflowData *WorkflowData, markdownPath // Note: compute-text functionality is now inlined directly in the task job // instead of using a shared action file - // Generate and validate YAML - yamlContent, err := c.generateAndValidateYAML(workflowData, markdownPath, lockFile) + // Generate and validate YAML (also embeds the new gh-aw-manifest in the header). + // Returns the collected body secrets and action refs to avoid duplicate scans for + // safe update enforcement. + yamlContent, bodySecrets, bodyActions, err := c.generateAndValidateYAML(workflowData, markdownPath, lockFile) if err != nil { return err } + // Enforce safe update mode: emit a warning prompt (not a hard error) when unapproved + // secrets or action changes are detected. body* vars contain data collected from the + // workflow body only (not the header) to avoid matching the gh-aw-manifest JSON comment. + // + // Emitting a warning instead of failing allows compilation to succeed so that the lock + // file is written and the agent receives the actionable guidance embedded in the warning. + if c.effectiveSafeUpdate(workflowData) { + if enforceErr := EnforceSafeUpdate(oldManifest, bodySecrets, bodyActions); enforceErr != nil { + warningMsg := buildSafeUpdateWarningPrompt(enforceErr.Error()) + c.AddSafeUpdateWarning(warningMsg) + fmt.Fprintln(os.Stderr, formatCompilerMessage(markdownPath, "warning", enforceErr.Error())) + c.IncrementWarningCount() + } + } + // Write output return c.writeWorkflowOutput(lockFile, yamlContent, markdownPath) } diff --git a/pkg/workflow/compiler_forks_test.go b/pkg/workflow/compiler_forks_test.go index 6b06a0d001d..bef13c9f5d4 100644 --- a/pkg/workflow/compiler_forks_test.go +++ b/pkg/workflow/compiler_forks_test.go @@ -596,7 +596,7 @@ tools: } // Generate YAML - yamlContent, err := compiler.generateYAML(workflowData, testFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, testFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } diff --git a/pkg/workflow/compiler_string_api.go b/pkg/workflow/compiler_string_api.go index 7edd204a9ab..3164e0bcdd7 100644 --- a/pkg/workflow/compiler_string_api.go +++ b/pkg/workflow/compiler_string_api.go @@ -42,7 +42,7 @@ func (c *Compiler) CompileToYAML(workflowData *WorkflowData, markdownPath string return "", err } - yamlContent, err := c.generateAndValidateYAML(workflowData, markdownPath, lockFile) + yamlContent, _, _, err := c.generateAndValidateYAML(workflowData, markdownPath, lockFile) if err != nil { return "", err } diff --git a/pkg/workflow/compiler_test.go b/pkg/workflow/compiler_test.go index 91fadec55a2..0fcbf90ef85 100644 --- a/pkg/workflow/compiler_test.go +++ b/pkg/workflow/compiler_test.go @@ -630,7 +630,7 @@ func TestGenerateAndValidateYAML(t *testing.T) { compiler.stepOrderTracker = NewStepOrderTracker() compiler.artifactManager = NewArtifactManager() - yamlContent, err := compiler.generateAndValidateYAML(tt.workflowData, markdownPath, lockFile) + yamlContent, _, _, err := compiler.generateAndValidateYAML(tt.workflowData, markdownPath, lockFile) if tt.shouldError { require.Error(t, err, "Expected YAML generation to fail") diff --git a/pkg/workflow/compiler_types.go b/pkg/workflow/compiler_types.go index 91fa861f4ab..f7cf8e83261 100644 --- a/pkg/workflow/compiler_types.go +++ b/pkg/workflow/compiler_types.go @@ -32,6 +32,25 @@ func WithNoEmit(noEmit bool) CompilerOption { return func(c *Compiler) { c.noEmit = noEmit } } +// WithSafeUpdate configures whether to enforce safe update mode (reject newly introduced secrets +// and unapproved action additions/removals relative to the previously recorded manifest). +func WithSafeUpdate(safeUpdate bool) CompilerOption { + return func(c *Compiler) { c.safeUpdate = safeUpdate } +} + +// WithPriorManifest registers a pre-cached manifest for a specific lock file. +// When set, the compiler uses this manifest as the trusted baseline for safe update +// enforcement instead of reading from git HEAD or the filesystem. This is intended for +// use by the MCP server, which collects manifests at startup before any agent interaction. +func WithPriorManifest(lockFile string, manifest *GHAWManifest) CompilerOption { + return func(c *Compiler) { + if c.priorManifests == nil { + c.priorManifests = make(map[string]*GHAWManifest) + } + c.priorManifests[lockFile] = manifest + } +} + // WithFailFast configures whether to stop at first validation error func WithFailFast(failFast bool) CompilerOption { return func(c *Compiler) { c.failFast = failFast } @@ -52,40 +71,43 @@ type Compiler struct { verbose bool quiet bool // If true, suppress success messages (for interactive mode) engineOverride string - customOutput string // If set, output will be written to this path instead of default location - version string // Version of the extension - skipValidation bool // If true, skip schema validation - noEmit bool // If true, validate without generating lock files - strictMode bool // If true, enforce strict validation requirements - trialMode bool // If true, suppress safe outputs for trial mode execution - trialLogicalRepoSlug string // If set in trial mode, the logical repository to checkout - refreshStopTime bool // If true, regenerate stop-after times instead of preserving existing ones - forceRefreshActionPins bool // If true, clear action cache and resolve all actions from GitHub API - failFast bool // If true, stop at first validation error instead of collecting all errors - actionCacheCleared bool // Tracks if action cache has already been cleared (for forceRefreshActionPins) - markdownPath string // Path to the markdown file being compiled (for context in dynamic tool generation) - actionMode ActionMode // Mode for generating JavaScript steps (inline vs custom actions) - actionTag string // Override action SHA or tag for actions/setup (when set, overrides actionMode to release) - actionsRepo string // Override the external actions repository (default: github/gh-aw-actions) - jobManager *JobManager // Manages jobs and dependencies - engineRegistry *EngineRegistry // Registry of available agentic engines - engineCatalog *EngineCatalog // Catalog of engine definitions backed by the registry - fileTracker FileTracker // Optional file tracker for tracking created files - warningCount int // Number of warnings encountered during compilation - stepOrderTracker *StepOrderTracker // Tracks step ordering for validation - actionCache *ActionCache // Shared cache for action pin resolutions across all workflows - actionResolver *ActionResolver // Shared resolver for action pins across all workflows - actionPinWarnings map[string]bool // Shared cache of already-warned action pin failures (key: "repo@version") - importCache *parser.ImportCache // Shared cache for imported workflow files - workflowIdentifier string // Identifier for the current workflow being compiled (for schedule scattering) - scheduleWarnings []string // Accumulated schedule warnings for this compiler instance - repositorySlug string // Repository slug (owner/repo) used as seed for scattering - artifactManager *ArtifactManager // Tracks artifact uploads/downloads for validation - scheduleFriendlyFormats map[int]string // Maps schedule item index to friendly format string for current workflow - gitRoot string // Git repository root directory (if set, used for action cache path) - contentOverride string // If set, use this content instead of reading from disk (for Wasm/in-memory compilation) - skipHeader bool // If true, skip ASCII art header in generated YAML (for Wasm/editor mode) - inlinePrompt bool // If true, inline markdown content in YAML instead of using runtime-import macros (for Wasm builds) + customOutput string // If set, output will be written to this path instead of default location + version string // Version of the extension + skipValidation bool // If true, skip schema validation + noEmit bool // If true, validate without generating lock files + strictMode bool // If true, enforce strict validation requirements + safeUpdate bool // If true, enforce safe update mode (reject newly introduced secrets) + trialMode bool // If true, suppress safe outputs for trial mode execution + trialLogicalRepoSlug string // If set in trial mode, the logical repository to checkout + refreshStopTime bool // If true, regenerate stop-after times instead of preserving existing ones + forceRefreshActionPins bool // If true, clear action cache and resolve all actions from GitHub API + failFast bool // If true, stop at first validation error instead of collecting all errors + actionCacheCleared bool // Tracks if action cache has already been cleared (for forceRefreshActionPins) + markdownPath string // Path to the markdown file being compiled (for context in dynamic tool generation) + actionMode ActionMode // Mode for generating JavaScript steps (inline vs custom actions) + actionTag string // Override action SHA or tag for actions/setup (when set, overrides actionMode to release) + actionsRepo string // Override the external actions repository (default: github/gh-aw-actions) + jobManager *JobManager // Manages jobs and dependencies + engineRegistry *EngineRegistry // Registry of available agentic engines + engineCatalog *EngineCatalog // Catalog of engine definitions backed by the registry + fileTracker FileTracker // Optional file tracker for tracking created files + warningCount int // Number of warnings encountered during compilation + stepOrderTracker *StepOrderTracker // Tracks step ordering for validation + actionCache *ActionCache // Shared cache for action pin resolutions across all workflows + actionResolver *ActionResolver // Shared resolver for action pins across all workflows + actionPinWarnings map[string]bool // Shared cache of already-warned action pin failures (key: "repo@version") + importCache *parser.ImportCache // Shared cache for imported workflow files + workflowIdentifier string // Identifier for the current workflow being compiled (for schedule scattering) + scheduleWarnings []string // Accumulated schedule warnings for this compiler instance + safeUpdateWarnings []string // Accumulated safe update warnings (new secrets/actions requiring review) + repositorySlug string // Repository slug (owner/repo) used as seed for scattering + artifactManager *ArtifactManager // Tracks artifact uploads/downloads for validation + scheduleFriendlyFormats map[int]string // Maps schedule item index to friendly format string for current workflow + gitRoot string // Git repository root directory (if set, used for action cache path) + contentOverride string // If set, use this content instead of reading from disk (for Wasm/in-memory compilation) + skipHeader bool // If true, skip ASCII art header in generated YAML (for Wasm/editor mode) + inlinePrompt bool // If true, inline markdown content in YAML instead of using runtime-import macros (for Wasm builds) + priorManifests map[string]*GHAWManifest // Pre-cached manifests keyed by lock file path; takes precedence over git HEAD / filesystem reads } // NewCompiler creates a new workflow compiler with functional options. @@ -152,6 +174,14 @@ func (c *Compiler) SetNoEmit(noEmit bool) { c.noEmit = noEmit } +// SetSafeUpdate configures whether to force-enable safe update mode via the CLI flag. +// Safe update mode is normally equivalent to strict mode (active when strict mode is active). +// This flag provides an additional override to enable safe update mode independently of +// the strict mode setting. +func (c *Compiler) SetSafeUpdate(safeUpdate bool) { + c.safeUpdate = safeUpdate +} + // SetFileTracker sets the file tracker for tracking created files func (c *Compiler) SetFileTracker(tracker FileTracker) { c.fileTracker = tracker @@ -253,6 +283,39 @@ func (c *Compiler) GetScheduleWarnings() []string { return c.scheduleWarnings } +// AddSafeUpdateWarning appends a safe update warning to the compiler's accumulated list. +// Callers should invoke this when a safe update violation is detected instead of +// returning a compilation error, so that compilation still succeeds and the agent +// receives actionable guidance. +func (c *Compiler) AddSafeUpdateWarning(warning string) { + if c.safeUpdateWarnings == nil { + c.safeUpdateWarnings = []string{} + } + c.safeUpdateWarnings = append(c.safeUpdateWarnings, warning) +} + +// GetSafeUpdateWarnings returns all accumulated safe update warnings for this compiler instance. +func (c *Compiler) GetSafeUpdateWarnings() []string { + return c.safeUpdateWarnings +} + +// SetPriorManifest registers a pre-cached manifest for a specific lock file path. +// When set, the compiler uses this as the trusted baseline for safe update enforcement +// instead of reading from git HEAD or the filesystem. Intended for use by the MCP +// server, which pre-captures manifests at startup before any agent can tamper with them. +func (c *Compiler) SetPriorManifest(lockFile string, manifest *GHAWManifest) { + if c.priorManifests == nil { + c.priorManifests = make(map[string]*GHAWManifest) + } + c.priorManifests[lockFile] = manifest +} + +// SetPriorManifests replaces the entire pre-cached manifest map. +// Equivalent to calling SetPriorManifest for every entry in the map. +func (c *Compiler) SetPriorManifests(manifests map[string]*GHAWManifest) { + c.priorManifests = manifests +} + // getSharedActionResolver returns the shared action resolver, initializing it on first use // This ensures all workflows compiled by this compiler instance share the same in-memory cache func (c *Compiler) getSharedActionResolver() (*ActionCache, *ActionResolver) { diff --git a/pkg/workflow/compiler_workflow_call_test.go b/pkg/workflow/compiler_workflow_call_test.go index f03c89f04a0..67f17710ff5 100644 --- a/pkg/workflow/compiler_workflow_call_test.go +++ b/pkg/workflow/compiler_workflow_call_test.go @@ -280,7 +280,7 @@ Create an issue and add a comment. workflowData, err := compiler.ParseWorkflowFile(testFile) require.NoError(t, err, "failed to parse workflow file") - yamlOutput, err := compiler.generateYAML(workflowData, testFile) + yamlOutput, _, _, err := compiler.generateYAML(workflowData, testFile) require.NoError(t, err, "failed to generate YAML") // Verify workflow_call outputs section is present diff --git a/pkg/workflow/compiler_yaml.go b/pkg/workflow/compiler_yaml.go index 2502092ad26..c8363c18cf1 100644 --- a/pkg/workflow/compiler_yaml.go +++ b/pkg/workflow/compiler_yaml.go @@ -34,6 +34,18 @@ func (c *Compiler) effectiveStrictMode(frontmatter map[string]any) bool { return true } +// effectiveSafeUpdate returns true when safe update mode should be enforced for +// the given workflow. Safe update mode is equivalent to strict mode: it is +// enabled whenever strict mode is active (CLI --strict flag, frontmatter +// strict: true, or the default). It can also be force-enabled via the CLI +// --safe-update flag independently of strict mode. +func (c *Compiler) effectiveSafeUpdate(data *WorkflowData) bool { + if c.safeUpdate { + return true + } + return c.effectiveStrictMode(data.RawFrontmatter) +} + // buildJobsAndValidate builds all workflow jobs and validates their dependencies. // It resets the job manager, builds jobs from the workflow data, and performs // dependency and duplicate step validation. @@ -103,6 +115,16 @@ func (c *Compiler) generateWorkflowHeader(yaml *strings.Builder, data *WorkflowD } } + // Embed the gh-aw-manifest immediately after gh-aw-metadata for easy machine parsing. + // The manifest records all secrets and external actions detected at compile time so + // that subsequent compilations can perform safe update enforcement. + manifest := NewGHAWManifest(secrets, actions) + if manifestJSON, err := manifest.ToJSON(); err == nil { + fmt.Fprintf(yaml, "# gh-aw-manifest: %s\n", manifestJSON) + } else { + compilerYamlLog.Printf("Failed to serialize gh-aw-manifest: %v. Safe update mode will not be available for future compilations of this workflow.", err) + } + // Add workflow header with logo and instructions sourceFile := "the corresponding .md file" if data.Source != "" { @@ -247,7 +269,7 @@ func (c *Compiler) generateWorkflowBody(yaml *strings.Builder, data *WorkflowDat yaml.WriteString(c.jobManager.RenderToYAML()) } -func (c *Compiler) generateYAML(data *WorkflowData, markdownPath string) (string, error) { +func (c *Compiler) generateYAML(data *WorkflowData, markdownPath string) (string, []string, []string, error) { compilerYamlLog.Printf("Generating YAML for workflow: %s", data.Name) // Compute frontmatter hash BEFORE building jobs so that the stable hash is @@ -273,7 +295,7 @@ func (c *Compiler) generateYAML(data *WorkflowData, markdownPath string) (string // Build all jobs and validate dependencies if err := c.buildJobsAndValidate(data, markdownPath); err != nil { - return "", fmt.Errorf("failed to build and validate jobs: %w", err) + return "", nil, nil, fmt.Errorf("failed to build and validate jobs: %w", err) } // Pre-allocate builder capacity based on estimated workflow size @@ -289,6 +311,8 @@ func (c *Compiler) generateYAML(data *WorkflowData, markdownPath string) (string bodyContent := body.String() // Collect secrets and external action references from the generated body. + // These are returned to the caller so they can be used for safe update enforcement + // without requiring a second scan of the full YAML content. secrets := CollectSecretReferences(bodyContent) actions := CollectActionReferences(bodyContent) @@ -308,7 +332,7 @@ func (c *Compiler) generateYAML(data *WorkflowData, markdownPath string) (string } compilerYamlLog.Printf("Successfully generated YAML for workflow: %s (%d bytes)", data.Name, len(yamlContent)) - return yamlContent, nil + return yamlContent, secrets, actions, nil } func splitContentIntoChunks(content string) []string { diff --git a/pkg/workflow/compiler_yaml_helpers_test.go b/pkg/workflow/compiler_yaml_helpers_test.go index 6980fc9c261..c2b8c4a9c11 100644 --- a/pkg/workflow/compiler_yaml_helpers_test.go +++ b/pkg/workflow/compiler_yaml_helpers_test.go @@ -369,7 +369,7 @@ func TestGenerateYAMLRefactored(t *testing.T) { t.Run(tt.name, func(t *testing.T) { compiler := NewCompiler() - result, err := compiler.generateYAML(tt.data, "test.md") + result, _, _, err := compiler.generateYAML(tt.data, "test.md") if tt.shouldError && err == nil { t.Errorf("generateYAML() expected error but got none") diff --git a/pkg/workflow/compiler_yaml_logo_test.go b/pkg/workflow/compiler_yaml_logo_test.go index a25aafc770e..36f44a11b3d 100644 --- a/pkg/workflow/compiler_yaml_logo_test.go +++ b/pkg/workflow/compiler_yaml_logo_test.go @@ -20,7 +20,7 @@ func TestASCIILogoAlignment(t *testing.T) { } // Generate YAML - yaml, err := compiler.generateYAML(data, "test.md") + yaml, _, _, err := compiler.generateYAML(data, "test.md") if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } diff --git a/pkg/workflow/container_services_test.go b/pkg/workflow/container_services_test.go index b513353e219..16443daf387 100644 --- a/pkg/workflow/container_services_test.go +++ b/pkg/workflow/container_services_test.go @@ -125,7 +125,7 @@ This is a test without container.`, } // Generate YAML and check if container appears in the main job - yamlContent, err := compiler.generateYAML(workflowData, workflowFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, workflowFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } @@ -282,7 +282,7 @@ This is a test without services.`, } // Generate YAML and check if services appears in the main job - yamlContent, err := compiler.generateYAML(workflowData, workflowFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, workflowFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } @@ -363,7 +363,7 @@ This workflow uses both container and services.` t.Fatalf("Failed to parse workflow: %v", err) } - yamlContent, err := compiler.generateYAML(workflowData, workflowFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, workflowFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } diff --git a/pkg/workflow/environment_test.go b/pkg/workflow/environment_test.go index b16fc6d9b58..1337d8559c3 100644 --- a/pkg/workflow/environment_test.go +++ b/pkg/workflow/environment_test.go @@ -121,7 +121,7 @@ This is a test.`, } // Generate YAML and check if environment appears in the main job - yamlContent, err := compiler.generateYAML(workflowData, workflowFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, workflowFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } @@ -209,7 +209,7 @@ This is a test.` t.Fatalf("Failed to parse workflow: %v", err) } - yamlContent, err := compiler.generateYAML(workflowData, workflowFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, workflowFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } diff --git a/pkg/workflow/git_config_test.go b/pkg/workflow/git_config_test.go index bfa4d90c69f..62e97a0626d 100644 --- a/pkg/workflow/git_config_test.go +++ b/pkg/workflow/git_config_test.go @@ -46,7 +46,7 @@ This is a test workflow to verify git configuration is included. } // Generate YAML content - lockContent, err := compiler.generateYAML(workflowData, testFile) + lockContent, _, _, err := compiler.generateYAML(workflowData, testFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } @@ -148,7 +148,7 @@ This is a test workflow to verify git credentials cleaner is included. } // Generate YAML content - lockContent, err := compiler.generateYAML(workflowData, testFile) + lockContent, _, _, err := compiler.generateYAML(workflowData, testFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } @@ -251,7 +251,7 @@ This workflow uses API tools only and does not need the repository to be checked t.Fatalf("Failed to parse workflow file: %v", err) } - lockContent, err := compiler.generateYAML(workflowData, testFile) + lockContent, _, _, err := compiler.generateYAML(workflowData, testFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } diff --git a/pkg/workflow/lock_for_agent_test.go b/pkg/workflow/lock_for_agent_test.go index 522c4e01b16..7e4a4c623f0 100644 --- a/pkg/workflow/lock_for_agent_test.go +++ b/pkg/workflow/lock_for_agent_test.go @@ -51,7 +51,7 @@ Test workflow with lock-for-agent enabled. } // Generate YAML and verify it contains lock/unlock steps - yamlContent, err := compiler.generateYAML(workflowData, testFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, testFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } @@ -127,7 +127,7 @@ Test workflow with lock-for-agent but no reaction. } // Generate YAML and verify it contains lock/unlock steps - yamlContent, err := compiler.generateYAML(workflowData, testFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, testFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } @@ -198,7 +198,7 @@ Test workflow without lock-for-agent. } // Generate YAML and verify it does not contain lock/unlock steps - yamlContent, err := compiler.generateYAML(workflowData, testFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, testFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } @@ -263,7 +263,7 @@ Test workflow without lock-for-agent and without reaction. } // Generate YAML and verify it does not contain lock/unlock steps - yamlContent, err := compiler.generateYAML(workflowData, testFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, testFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } @@ -318,7 +318,7 @@ Test that lock-for-agent on issues doesn't break PR workflows. } // Generate YAML - should succeed without errors - yamlContent, err := compiler.generateYAML(workflowData, testFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, testFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } @@ -369,7 +369,7 @@ Test workflow with lock-for-agent enabled for issue_comment events. } // Generate YAML and verify it contains lock/unlock steps - yamlContent, err := compiler.generateYAML(workflowData, testFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, testFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } @@ -468,7 +468,7 @@ Test that lock-for-agent is commented out in generated YAML. } // Generate YAML - yamlContent, err := compiler.generateYAML(workflowData, testFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, testFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } @@ -537,7 +537,7 @@ Test that safe_outputs job depends on unlock job. } // Generate YAML - yamlContent, err := compiler.generateYAML(workflowData, testFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, testFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } diff --git a/pkg/workflow/mcp_config_compilation_test.go b/pkg/workflow/mcp_config_compilation_test.go index 8951510b7eb..caf15796e40 100644 --- a/pkg/workflow/mcp_config_compilation_test.go +++ b/pkg/workflow/mcp_config_compilation_test.go @@ -59,7 +59,7 @@ This workflow tests that MCP server env vars are sorted alphabetically. t.Fatalf("Failed to parse workflow file: %v", err) } - yamlContent, err := compiler.generateYAML(workflowData, tmpFile.Name()) + yamlContent, _, _, err := compiler.generateYAML(workflowData, tmpFile.Name()) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } @@ -340,7 +340,7 @@ Test workflow. t.Fatalf("Failed to parse workflow file: %v", err) } - yamlContent, err := compiler.generateYAML(workflowData, tmpFile.Name()) + yamlContent, _, _, err := compiler.generateYAML(workflowData, tmpFile.Name()) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } diff --git a/pkg/workflow/reaction_outputs_test.go b/pkg/workflow/reaction_outputs_test.go index 19af11f2515..a9035ddbdd0 100644 --- a/pkg/workflow/reaction_outputs_test.go +++ b/pkg/workflow/reaction_outputs_test.go @@ -54,7 +54,7 @@ This workflow should generate add_reaction job with comment outputs. } // Generate YAML - yamlContent, err := compiler.generateYAML(workflowData, testFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, testFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } @@ -129,7 +129,7 @@ This workflow should generate add_reaction job with GH_AW_WORKFLOW_NAME environm } // Generate YAML - yamlContent, err := compiler.generateYAML(workflowData, testFile) + yamlContent, _, _, err := compiler.generateYAML(workflowData, testFile) if err != nil { t.Fatalf("Failed to generate YAML: %v", err) } diff --git a/pkg/workflow/safe_update_enforcement.go b/pkg/workflow/safe_update_enforcement.go new file mode 100644 index 00000000000..d46359e3070 --- /dev/null +++ b/pkg/workflow/safe_update_enforcement.go @@ -0,0 +1,187 @@ +package workflow + +import ( + "fmt" + "sort" + "strings" + + "github.com/github/gh-aw/pkg/logger" +) + +var safeUpdateLog = logger.New("workflow:safe_update") + +// githubTokenSecret is the one secret that is always permitted in safe update mode. +// Stored without the "secrets." prefix to match manifest storage format. +const githubTokenSecret = "GITHUB_TOKEN" + +// EnforceSafeUpdate validates that no new restricted secrets or unapproved action +// changes have been introduced compared to those recorded in the existing manifest. +// +// manifest is the gh-aw-manifest extracted from the current lock file before +// recompilation. When nil (no lock file exists yet), it is treated as an empty +// manifest so that all non-GITHUB_TOKEN secrets and all custom actions are rejected +// on a first-time safe-update compilation. +// +// secretNames contains the raw names produced by CollectSecretReferences (i.e. +// they may or may not carry the "secrets." prefix; both forms are normalized +// via normalizeSecretName before comparison). +// +// actionRefs contains the raw action reference strings produced by CollectActionReferences, +// e.g. "actions/checkout@abc1234 # v4". +// +// Returns a structured, actionable error when violations are found. +func EnforceSafeUpdate(manifest *GHAWManifest, secretNames []string, actionRefs []string) error { + if manifest == nil { + // No prior lock file – treat as an empty manifest so safe-update enforcement + // blocks any secrets (other than GITHUB_TOKEN) and any custom actions on the + // first compilation, matching the principle of least privilege. + safeUpdateLog.Print("No existing manifest found; treating as empty manifest for safe update enforcement") + manifest = &GHAWManifest{Version: currentGHAWManifestVersion} + } + + secretViolations := collectSecretViolations(manifest, secretNames) + addedActions, removedActions := collectActionViolations(manifest, actionRefs) + + if len(secretViolations) == 0 && len(addedActions) == 0 && len(removedActions) == 0 { + safeUpdateLog.Printf("Safe update check passed (%d secret(s), %d action(s) verified)", + len(secretNames), len(actionRefs)) + return nil + } + + if len(secretViolations) > 0 { + safeUpdateLog.Printf("Safe update violation: %d new secret(s) detected: %s", + len(secretViolations), strings.Join(secretViolations, ", ")) + } + if len(addedActions) > 0 { + safeUpdateLog.Printf("Safe update violation: %d new action(s) added: %s", + len(addedActions), strings.Join(addedActions, ", ")) + } + if len(removedActions) > 0 { + safeUpdateLog.Printf("Safe update violation: %d action(s) removed: %s", + len(removedActions), strings.Join(removedActions, ", ")) + } + + return buildSafeUpdateError(secretViolations, addedActions, removedActions) +} + +// collectSecretViolations returns the normalized secret names that are new (not in the +// previous manifest) and are not the always-allowed GITHUB_TOKEN. +func collectSecretViolations(manifest *GHAWManifest, secretNames []string) []string { + known := make(map[string]bool, len(manifest.Secrets)) + for _, s := range manifest.Secrets { + known[s] = true + } + + var violations []string + for _, name := range secretNames { + full := normalizeSecretName(name) + if full == githubTokenSecret { + continue + } + if known[full] { + continue + } + violations = append(violations, full) + } + sort.Strings(violations) + return violations +} + +// githubActionsOrg is the owner whose actions are always trusted and never flagged +// as unapproved additions, regardless of what was recorded in the manifest. +const githubActionsOrg = "actions" + +// isActionsOrgRepo reports whether a repo string belongs to the trusted "actions" org +// (i.e. has the form "actions/"). +func isActionsOrgRepo(repo string) bool { + return strings.HasPrefix(repo, githubActionsOrg+"/") +} + +// collectActionViolations compares the new action refs against the previous manifest +// and returns two sorted slices: repos that were added and repos that were removed. +// The comparison uses the action repo as the key, so SHA/version changes to an +// already-approved repo are not flagged. +// Actions belonging to the "actions/" GitHub org are always trusted and never flagged. +func collectActionViolations(manifest *GHAWManifest, actionRefs []string) (added []string, removed []string) { + // Build known repo set from previous manifest. + knownRepos := make(map[string]bool, len(manifest.Actions)) + for _, a := range manifest.Actions { + knownRepos[a.Repo] = true + } + + // Build new repo set from the freshly compiled action refs. + newActions := parseActionRefs(actionRefs) + newRepos := make(map[string]bool, len(newActions)) + for _, a := range newActions { + newRepos[a.Repo] = true + } + + // Find additions: repos present in the new compilation but absent from the manifest. + // Actions from the trusted "actions/" org are always allowed and never flagged. + for repo := range newRepos { + if isActionsOrgRepo(repo) { + continue + } + if !knownRepos[repo] { + added = append(added, repo) + } + } + + // Find removals: repos present in the previous manifest but absent from the new compilation. + // Actions from the trusted "actions/" org are always allowed, so their removal is not flagged. + for repo := range knownRepos { + if isActionsOrgRepo(repo) { + continue + } + if !newRepos[repo] { + removed = append(removed, repo) + } + } + + sort.Strings(added) + sort.Strings(removed) + return added, removed +} + +// buildSafeUpdateError creates a clear, structured error message that names the +// offending secrets and actions and tells the user how to remediate. +func buildSafeUpdateError(secretViolations, addedActions, removedActions []string) error { + var sb strings.Builder + sb.WriteString("safe update mode detected unapproved changes\n") + + if len(secretViolations) > 0 { + sb.WriteString("\nNew restricted secret(s):\n - ") + sb.WriteString(strings.Join(secretViolations, "\n - ")) + } + if len(addedActions) > 0 { + sb.WriteString("\nNew unapproved action(s):\n - ") + sb.WriteString(strings.Join(addedActions, "\n - ")) + } + if len(removedActions) > 0 { + sb.WriteString("\nPreviously-approved action(s) removed:\n - ") + sb.WriteString(strings.Join(removedActions, "\n - ")) + } + + sb.WriteString("\n\nRemediation options:\n 1. Use an interactive agentic flow (e.g. Copilot CLI) to review and approve the changes.\n 2. Remove the --safe-update flag to allow the change.\n 3. Revert the unapproved changes from your workflow if they were added unintentionally.") + return fmt.Errorf("%s", sb.String()) +} + +// buildSafeUpdateWarningPrompt wraps the raw safe update violation message in a +// structured prompt that: +// - Asks the calling agent to review each new secret / action for malicious use +// - Asks the agent to include a security review note in the pull request description +// so that human reviewers are aware of the changes +func buildSafeUpdateWarningPrompt(violationMsg string) string { + var sb strings.Builder + sb.WriteString("⚠️ SECURITY REVIEW REQUIRED — safe update mode detected unapproved changes:\n\n") + sb.WriteString(violationMsg) + sb.WriteString("\n\n") + sb.WriteString("Action required for the calling agent:\n") + sb.WriteString(" 1. Review every new secret and action listed above for potential malicious use\n") + sb.WriteString(" (e.g. credential exfiltration, supply-chain attacks, unexpected network access).\n") + sb.WriteString(" 2. Add a security review note to the pull request description that:\n") + sb.WriteString(" - Lists the new secrets and actions introduced by this compilation.\n") + sb.WriteString(" - Confirms you have reviewed each one and explains why it is safe to add.\n") + sb.WriteString(" - Flags any item you cannot fully verify so a human reviewer can inspect it.\n") + return sb.String() +} diff --git a/pkg/workflow/safe_update_enforcement_test.go b/pkg/workflow/safe_update_enforcement_test.go new file mode 100644 index 00000000000..76b9861c7a8 --- /dev/null +++ b/pkg/workflow/safe_update_enforcement_test.go @@ -0,0 +1,431 @@ +//go:build !integration + +package workflow + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestEnforceSafeUpdate(t *testing.T) { + tests := []struct { + name string + manifest *GHAWManifest + secretNames []string + actionRefs []string + wantErr bool + wantErrMsgs []string + }{ + { + name: "nil manifest (no lock file) blocks secrets on first compile", + manifest: nil, + secretNames: []string{"MY_SECRET"}, + actionRefs: []string{}, + wantErr: true, + wantErrMsgs: []string{"MY_SECRET", "safe update mode"}, + }, + { + name: "nil manifest (no lock file) blocks custom actions on first compile", + manifest: nil, + secretNames: []string{}, + actionRefs: []string{"my-org/my-action@abc1234 # v1"}, + wantErr: true, + wantErrMsgs: []string{"my-org/my-action", "safe update mode"}, + }, + { + name: "nil manifest (no lock file) allows GITHUB_TOKEN on first compile", + manifest: nil, + secretNames: []string{"GITHUB_TOKEN"}, + actionRefs: []string{}, + wantErr: false, + }, + { + name: "nil manifest (no lock file) with no secrets or actions passes", + manifest: nil, + secretNames: []string{}, + actionRefs: []string{}, + wantErr: false, + }, + { + name: "empty secrets and actions with existing manifest passes", + manifest: &GHAWManifest{Version: 1, Secrets: []string{}, Actions: []GHAWManifestAction{}}, + secretNames: []string{}, + actionRefs: []string{}, + wantErr: false, + }, + { + name: "GITHUB_TOKEN always allowed even when not in manifest", + manifest: &GHAWManifest{Version: 1, Secrets: []string{}, Actions: []GHAWManifestAction{}}, + secretNames: []string{"GITHUB_TOKEN"}, + actionRefs: []string{}, + wantErr: false, + }, + { + name: "GITHUB_TOKEN with secrets. prefix always allowed", + manifest: &GHAWManifest{Version: 1, Secrets: []string{}, Actions: []GHAWManifestAction{}}, + secretNames: []string{"secrets.GITHUB_TOKEN"}, + actionRefs: []string{}, + wantErr: false, + }, + { + name: "known secret passes", + manifest: &GHAWManifest{ + Version: 1, + Secrets: []string{"MY_SECRET"}, + Actions: []GHAWManifestAction{}, + }, + secretNames: []string{"MY_SECRET"}, + actionRefs: []string{}, + wantErr: false, + }, + { + name: "new restricted secret causes failure", + manifest: &GHAWManifest{ + Version: 1, + Secrets: []string{"EXISTING_SECRET"}, + Actions: []GHAWManifestAction{}, + }, + secretNames: []string{"EXISTING_SECRET", "NEW_SECRET"}, + actionRefs: []string{}, + wantErr: true, + wantErrMsgs: []string{"NEW_SECRET", "safe update mode"}, + }, + { + name: "multiple new secrets listed in error", + manifest: &GHAWManifest{ + Version: 1, + Secrets: []string{}, + Actions: []GHAWManifestAction{}, + }, + secretNames: []string{"SECRET_A", "SECRET_B"}, + actionRefs: []string{}, + wantErr: true, + wantErrMsgs: []string{"SECRET_A", "SECRET_B"}, + }, + { + name: "GITHUB_TOKEN plus known secret passes", + manifest: &GHAWManifest{ + Version: 1, + Secrets: []string{"MY_SECRET"}, + Actions: []GHAWManifestAction{}, + }, + secretNames: []string{"GITHUB_TOKEN", "MY_SECRET"}, + actionRefs: []string{}, + wantErr: false, + }, + { + name: "empty manifest blocks any new secret except GITHUB_TOKEN", + manifest: &GHAWManifest{ + Version: 1, + Secrets: []string{}, + Actions: []GHAWManifestAction{}, + }, + secretNames: []string{"SOME_SECRET"}, + actionRefs: []string{}, + wantErr: true, + wantErrMsgs: []string{"SOME_SECRET"}, + }, + // Action enforcement tests. + { + name: "known action passes", + manifest: &GHAWManifest{ + Version: 1, + Secrets: []string{}, + Actions: []GHAWManifestAction{{Repo: "my-org/my-action", SHA: "abc1234", Version: "v1"}}, + }, + secretNames: []string{}, + actionRefs: []string{"my-org/my-action@abc1234 # v1"}, + wantErr: false, + }, + { + name: "known action with different SHA (pin update) passes", + manifest: &GHAWManifest{ + Version: 1, + Secrets: []string{}, + Actions: []GHAWManifestAction{{Repo: "my-org/my-action", SHA: "abc1234", Version: "v1"}}, + }, + secretNames: []string{}, + actionRefs: []string{"my-org/my-action@def5678 # v2"}, + wantErr: false, + }, + { + name: "new unapproved action causes failure", + manifest: &GHAWManifest{ + Version: 1, + Secrets: []string{}, + Actions: []GHAWManifestAction{{Repo: "actions/checkout", SHA: "abc1234", Version: "v4"}}, + }, + secretNames: []string{}, + actionRefs: []string{"actions/checkout@abc1234 # v4", "evil-org/steal-secrets@deadbeef # v1"}, + wantErr: true, + wantErrMsgs: []string{"evil-org/steal-secrets", "safe update mode", "New unapproved action"}, + }, + { + name: "removed previously-approved action causes failure", + manifest: &GHAWManifest{ + Version: 1, + Secrets: []string{}, + Actions: []GHAWManifestAction{ + {Repo: "actions/checkout", SHA: "abc1234", Version: "v4"}, + {Repo: "my-org/setup-tool", SHA: "def5678", Version: "v3"}, + }, + }, + secretNames: []string{}, + actionRefs: []string{"actions/checkout@abc1234 # v4"}, + wantErr: true, + wantErrMsgs: []string{"my-org/setup-tool", "Previously-approved action"}, + }, + { + name: "both added and removed actions reported together", + manifest: &GHAWManifest{ + Version: 1, + Secrets: []string{}, + Actions: []GHAWManifestAction{{Repo: "my-org/approved-action", SHA: "abc1234", Version: "v4"}}, + }, + secretNames: []string{}, + actionRefs: []string{"evil-org/bad-action@deadbeef # v1"}, + wantErr: true, + wantErrMsgs: []string{"evil-org/bad-action", "my-org/approved-action"}, + }, + { + name: "new secret and new action both reported in one error", + manifest: &GHAWManifest{ + Version: 1, + Secrets: []string{}, + Actions: []GHAWManifestAction{}, + }, + secretNames: []string{"NEW_SECRET"}, + actionRefs: []string{"new-org/new-action@abc # v1"}, + wantErr: true, + wantErrMsgs: []string{"NEW_SECRET", "new-org/new-action"}, + }, + // actions/ org exemption tests. + { + name: "nil manifest: new actions/checkout is allowed on first compile", + manifest: nil, + secretNames: []string{}, + actionRefs: []string{"actions/checkout@abc1234 # v4"}, + wantErr: false, + }, + { + name: "new actions/ action (not in manifest) is always allowed", + manifest: &GHAWManifest{ + Version: 1, + Secrets: []string{}, + Actions: []GHAWManifestAction{}, + }, + secretNames: []string{}, + actionRefs: []string{"actions/setup-node@abc1234 # v4"}, + wantErr: false, + }, + { + name: "removal of actions/ action from manifest is not flagged", + manifest: &GHAWManifest{ + Version: 1, + Secrets: []string{}, + Actions: []GHAWManifestAction{{Repo: "actions/checkout", SHA: "abc1234", Version: "v4"}}, + }, + secretNames: []string{}, + actionRefs: []string{}, + wantErr: false, + }, + { + name: "actions/ action allowed alongside non-actions/ violation", + manifest: &GHAWManifest{ + Version: 1, + Secrets: []string{}, + Actions: []GHAWManifestAction{}, + }, + secretNames: []string{}, + actionRefs: []string{"actions/checkout@abc1234 # v4", "evil-org/bad-action@deadbeef # v1"}, + wantErr: true, + wantErrMsgs: []string{"evil-org/bad-action"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := EnforceSafeUpdate(tt.manifest, tt.secretNames, tt.actionRefs) + if tt.wantErr { + require.Error(t, err, "expected safe update enforcement error") + for _, msg := range tt.wantErrMsgs { + assert.Contains(t, err.Error(), msg, "error message should contain %q", msg) + } + } else { + assert.NoError(t, err, "unexpected safe update enforcement error") + } + }) + } +} + +func TestBuildSafeUpdateError(t *testing.T) { + t.Run("secrets only", func(t *testing.T) { + violations := []string{"NEW_SECRET", "ANOTHER_SECRET"} + err := buildSafeUpdateError(violations, nil, nil) + require.Error(t, err, "should return an error") + + msg := err.Error() + assert.Contains(t, msg, "safe update mode", "error message") + assert.Contains(t, msg, "NEW_SECRET", "violation in message") + assert.Contains(t, msg, "ANOTHER_SECRET", "violation in message") + assert.Contains(t, msg, "interactive agentic flow", "remediation guidance") + }) + + t.Run("added actions only", func(t *testing.T) { + err := buildSafeUpdateError(nil, []string{"evil-org/bad-action"}, nil) + require.Error(t, err, "should return an error") + msg := err.Error() + assert.Contains(t, msg, "evil-org/bad-action", "action in message") + assert.Contains(t, msg, "New unapproved action", "section header in message") + }) + + t.Run("removed actions only", func(t *testing.T) { + err := buildSafeUpdateError(nil, nil, []string{"actions/setup-node"}) + require.Error(t, err, "should return an error") + msg := err.Error() + assert.Contains(t, msg, "actions/setup-node", "action in message") + assert.Contains(t, msg, "Previously-approved action", "section header in message") + }) + + t.Run("mixed violations", func(t *testing.T) { + err := buildSafeUpdateError( + []string{"MY_SECRET"}, + []string{"evil-org/bad-action"}, + []string{"actions/checkout"}, + ) + require.Error(t, err, "should return an error") + msg := err.Error() + assert.Contains(t, msg, "MY_SECRET", "secret in message") + assert.Contains(t, msg, "evil-org/bad-action", "added action in message") + assert.Contains(t, msg, "actions/checkout", "removed action in message") + }) +} + +func TestCollectActionViolations(t *testing.T) { + tests := []struct { + name string + manifest *GHAWManifest + actionRefs []string + wantAdded []string + wantRemoved []string + }{ + { + name: "no changes passes", + manifest: &GHAWManifest{Actions: []GHAWManifestAction{{Repo: "actions/checkout", SHA: "abc"}}}, + actionRefs: []string{"actions/checkout@abc # v4"}, + wantAdded: nil, + wantRemoved: nil, + }, + { + name: "SHA change on same repo passes", + manifest: &GHAWManifest{Actions: []GHAWManifestAction{{Repo: "actions/checkout", SHA: "abc"}}}, + actionRefs: []string{"actions/checkout@def # v5"}, + wantAdded: nil, + wantRemoved: nil, + }, + { + name: "new repo is an addition", + manifest: &GHAWManifest{Actions: []GHAWManifestAction{{Repo: "actions/checkout", SHA: "abc"}}}, + actionRefs: []string{"actions/checkout@abc", "new-org/new-action@xyz"}, + wantAdded: []string{"new-org/new-action"}, + wantRemoved: nil, + }, + { + name: "missing repo is a removal", + manifest: &GHAWManifest{Actions: []GHAWManifestAction{{Repo: "my-org/custom-action", SHA: "abc"}, {Repo: "my-org/setup-tool", SHA: "def"}}}, + actionRefs: []string{"my-org/custom-action@abc"}, + wantAdded: nil, + wantRemoved: []string{"my-org/setup-tool"}, + }, + { + name: "empty manifest with no new actions passes", + manifest: &GHAWManifest{Actions: []GHAWManifestAction{}}, + actionRefs: []string{}, + wantAdded: nil, + wantRemoved: nil, + }, + { + name: "new actions/ action is not an addition violation", + manifest: &GHAWManifest{Actions: []GHAWManifestAction{}}, + actionRefs: []string{"actions/checkout@abc1234 # v4"}, + wantAdded: nil, + wantRemoved: nil, + }, + { + name: "removal of actions/ action from manifest is not a removal violation", + manifest: &GHAWManifest{Actions: []GHAWManifestAction{{Repo: "actions/checkout", SHA: "abc1234", Version: "v4"}}}, + actionRefs: []string{}, + wantAdded: nil, + wantRemoved: nil, + }, + { + name: "actions/ action not flagged, non-actions/ action is flagged", + manifest: &GHAWManifest{Actions: []GHAWManifestAction{ + {Repo: "actions/checkout", SHA: "abc1234", Version: "v4"}, + }}, + actionRefs: []string{"actions/setup-node@def5678 # v4", "evil-org/bad-action@deadbeef # v1"}, + wantAdded: []string{"evil-org/bad-action"}, + wantRemoved: nil, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + added, removed := collectActionViolations(tt.manifest, tt.actionRefs) + assert.Equal(t, tt.wantAdded, added, "added actions") + assert.Equal(t, tt.wantRemoved, removed, "removed actions") + }) + } +} + +func TestEffectiveSafeUpdate(t *testing.T) { + // effectiveSafeUpdate is equivalent to effectiveStrictMode: + // it returns true when the compiler safeUpdate flag is set, OR when strict + // mode is active (which defaults to true unless frontmatter sets strict: false). + tests := []struct { + name string + compilerFlag bool + rawFrontmatter map[string]any + want bool + }{ + { + name: "compiler flag off, no frontmatter => true (strict default)", + compilerFlag: false, + want: true, // strict mode defaults to true, so safe update is enabled + }, + { + name: "compiler flag on => true", + compilerFlag: true, + want: true, + }, + { + name: "frontmatter strict: false, compiler flag off => false", + compilerFlag: false, + rawFrontmatter: map[string]any{"strict": false}, + want: false, + }, + { + name: "frontmatter strict: false, compiler flag on => true", + compilerFlag: true, + rawFrontmatter: map[string]any{"strict": false}, + want: true, // CLI flag overrides frontmatter + }, + { + name: "frontmatter strict: true, compiler flag off => true", + compilerFlag: false, + rawFrontmatter: map[string]any{"strict": true}, + want: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + c := &Compiler{safeUpdate: tt.compilerFlag} + data := &WorkflowData{RawFrontmatter: tt.rawFrontmatter} + got := c.effectiveSafeUpdate(data) + assert.Equal(t, tt.want, got, "effectiveSafeUpdate result") + }) + } +} diff --git a/pkg/workflow/safe_update_manifest.go b/pkg/workflow/safe_update_manifest.go new file mode 100644 index 00000000000..d120e54b97c --- /dev/null +++ b/pkg/workflow/safe_update_manifest.go @@ -0,0 +1,157 @@ +package workflow + +import ( + "encoding/json" + "fmt" + "regexp" + "sort" + "strings" + + "github.com/github/gh-aw/pkg/logger" +) + +var safeUpdateManifestLog = logger.New("workflow:safe_update_manifest") + +// ghawManifestPattern matches a "# gh-aw-manifest: {...}" line in a lock file header. +var ghawManifestPattern = regexp.MustCompile(`#\s*gh-aw-manifest:\s*(\{.+\})`) + +// currentGHAWManifestVersion is the current schema version for the GHAW manifest header. +const currentGHAWManifestVersion = 1 + +// GHAWManifestAction represents a single GitHub Action referenced in a compiled workflow. +type GHAWManifestAction struct { + Repo string `json:"repo"` + SHA string `json:"sha"` + Version string `json:"version,omitempty"` +} + +// GHAWManifest is the single-line JSON payload embedded as a "# gh-aw-manifest: ..." +// comment in generated lock files. It records the secrets and external actions that +// were detected at the time the lock file was last compiled so that subsequent +// compilations can detect newly introduced secrets when safe update mode is enabled. +type GHAWManifest struct { + Version int `json:"version"` + Secrets []string `json:"secrets"` + Actions []GHAWManifestAction `json:"actions"` +} + +// NewGHAWManifest builds a GHAWManifest from the raw secret names and action reference +// strings produced by CollectSecretReferences and CollectActionReferences. +// +// secretNames entries may include or omit the "secrets." prefix; the prefix is always +// stripped before storage so the manifest contains plain names (e.g. "GITHUB_TOKEN"). +// actionRefs entries follow the format produced by CollectActionReferences, e.g. +// +// "actions/checkout@abc1234 # v4" +func NewGHAWManifest(secretNames []string, actionRefs []string) *GHAWManifest { + // Normalize secret names to full "secrets.NAME" form and deduplicate. + seen := make(map[string]bool) + secrets := make([]string, 0, len(secretNames)) + for _, name := range secretNames { + full := normalizeSecretName(name) + if !seen[full] { + seen[full] = true + secrets = append(secrets, full) + } + } + sort.Strings(secrets) + + return &GHAWManifest{ + Version: currentGHAWManifestVersion, + Secrets: secrets, + Actions: parseActionRefs(actionRefs), + } +} + +// normalizeSecretName ensures a secret identifier is stored as a plain name +// without the "secrets." prefix (e.g. "GITHUB_TOKEN" not "secrets.GITHUB_TOKEN"). +// If the input already carries the "secrets." prefix it is stripped; otherwise +// the name is returned unchanged. +func normalizeSecretName(name string) string { + return strings.TrimPrefix(name, "secrets.") +} + +// parseActionRefs converts the action reference strings returned by +// CollectActionReferences into structured GHAWManifestAction values. +// +// Accepted formats (produced by actionReferencePattern): +// +// "actions/checkout@abc1234 # v4" → repo=actions/checkout, sha=abc1234, version=v4 +// "actions/checkout@v4" → repo=actions/checkout, sha=v4, version=v4 +func parseActionRefs(refs []string) []GHAWManifestAction { + seen := make(map[string]bool) + actions := make([]GHAWManifestAction, 0, len(refs)) + + for _, raw := range refs { + ref := raw + + // Extract optional inline comment (e.g. "# v4") for the human-readable version tag. + comment := "" + if idx := strings.Index(ref, " # "); idx >= 0 { + comment = strings.TrimSpace(ref[idx+3:]) + ref = strings.TrimSpace(ref[:idx]) + } + + // Split on the last "@" to separate repo from sha/version. + at := strings.LastIndex(ref, "@") + if at < 0 { + continue + } + repo := ref[:at] + sha := ref[at+1:] + version := comment + if version == "" { + version = sha + } + + key := repo + "@" + sha + if seen[key] { + continue + } + seen[key] = true + + actions = append(actions, GHAWManifestAction{ + Repo: repo, + SHA: sha, + Version: version, + }) + } + + // Sort for deterministic output. + sort.Slice(actions, func(i, j int) bool { + if actions[i].Repo != actions[j].Repo { + return actions[i].Repo < actions[j].Repo + } + return actions[i].SHA < actions[j].SHA + }) + + return actions +} + +// ToJSON serialises the manifest to a compact, single-line JSON string suitable +// for embedding in a YAML comment header. +func (m *GHAWManifest) ToJSON() (string, error) { + data, err := json.Marshal(m) + if err != nil { + return "", fmt.Errorf("failed to serialize gh-aw-manifest: %w", err) + } + return string(data), nil +} + +// ExtractGHAWManifestFromLockFile parses the gh-aw-manifest from a lock file's +// comment header. Returns nil (with no error) when no manifest line is present, +// which is the normal state for lock files generated before this feature was +// introduced. +func ExtractGHAWManifestFromLockFile(content string) (*GHAWManifest, error) { + matches := ghawManifestPattern.FindStringSubmatch(content) + if len(matches) < 2 { + return nil, nil + } + var m GHAWManifest + if err := json.Unmarshal([]byte(matches[1]), &m); err != nil { + return nil, fmt.Errorf("failed to parse gh-aw-manifest JSON: %w", err) + } + safeUpdateManifestLog.Printf("Extracted gh-aw-manifest: version=%d secrets=%d actions=%d", + m.Version, len(m.Secrets), len(m.Actions)) + return &m, nil +} diff --git a/pkg/workflow/safe_update_manifest_test.go b/pkg/workflow/safe_update_manifest_test.go new file mode 100644 index 00000000000..c13f2e16733 --- /dev/null +++ b/pkg/workflow/safe_update_manifest_test.go @@ -0,0 +1,266 @@ +//go:build !integration + +package workflow + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestNewGHAWManifest(t *testing.T) { + tests := []struct { + name string + secretNames []string + actionRefs []string + wantVersion int + wantSecrets []string + wantActionRepos []string + }{ + { + name: "empty inputs", + secretNames: nil, + actionRefs: nil, + wantVersion: 1, + wantSecrets: []string{}, + }, + { + name: "secrets prefix stripped to plain name", + secretNames: []string{"GITHUB_TOKEN", "MY_SECRET"}, + wantVersion: 1, + wantSecrets: []string{"GITHUB_TOKEN", "MY_SECRET"}, + }, + { + name: "secrets.NAME prefix is stripped on input", + secretNames: []string{"secrets.GITHUB_TOKEN", "GITHUB_TOKEN"}, + wantVersion: 1, + wantSecrets: []string{"GITHUB_TOKEN"}, + }, + { + name: "secrets are sorted and deduplicated", + secretNames: []string{"Z_SECRET", "A_SECRET", "Z_SECRET"}, + wantVersion: 1, + wantSecrets: []string{"A_SECRET", "Z_SECRET"}, + }, + { + name: "action refs with SHA and comment", + actionRefs: []string{ + "actions/checkout@abc1234def5678 # v4", + "docker://alpine:3.14", // no @ separator; skipped + }, + wantVersion: 1, + wantSecrets: []string{}, + wantActionRepos: []string{"actions/checkout"}, + }, + { + name: "action refs without comment use sha as version", + actionRefs: []string{ + "actions/checkout@v4", + }, + wantVersion: 1, + wantSecrets: []string{}, + wantActionRepos: []string{"actions/checkout"}, + }, + { + name: "duplicate action refs are deduplicated", + actionRefs: []string{ + "actions/checkout@abc123 # v4", + "actions/checkout@abc123 # v4", + }, + wantVersion: 1, + wantSecrets: []string{}, + wantActionRepos: []string{"actions/checkout"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + m := NewGHAWManifest(tt.secretNames, tt.actionRefs) + require.NotNil(t, m, "manifest should not be nil") + assert.Equal(t, tt.wantVersion, m.Version, "manifest version") + if tt.wantSecrets != nil { + assert.Equal(t, tt.wantSecrets, m.Secrets, "manifest secrets") + } + if tt.wantActionRepos != nil { + repos := make([]string, len(m.Actions)) + for i, a := range m.Actions { + repos[i] = a.Repo + } + assert.Equal(t, tt.wantActionRepos, repos, "action repos") + } + }) + } +} + +func TestGHAWManifestToJSON(t *testing.T) { + m := &GHAWManifest{ + Version: 1, + Secrets: []string{"GITHUB_TOKEN", "MY_SECRET"}, + Actions: []GHAWManifestAction{ + {Repo: "actions/checkout", SHA: "abc123", Version: "v4"}, + }, + } + + json, err := m.ToJSON() + require.NoError(t, err, "ToJSON should not fail") + assert.Contains(t, json, `"version":1`, "version in JSON") + assert.Contains(t, json, `"GITHUB_TOKEN"`, "GITHUB_TOKEN in JSON") + assert.Contains(t, json, `"MY_SECRET"`, "MY_SECRET in JSON") + assert.Contains(t, json, `"actions/checkout"`, "action repo in JSON") + assert.Contains(t, json, `"abc123"`, "action SHA in JSON") + assert.Contains(t, json, `"v4"`, "action version in JSON") +} + +func TestExtractGHAWManifestFromLockFile(t *testing.T) { + tests := []struct { + name string + content string + wantNil bool + wantErr bool + wantVersion int + wantSecrets []string + }{ + { + name: "no manifest line returns nil", + content: "# gh-aw-metadata: {}\nsome: yaml", + wantNil: true, + }, + { + name: "manifest extracted successfully", + content: `# gh-aw-manifest: {"version":1,"secrets":["GITHUB_TOKEN"],"actions":[]}`, + wantVersion: 1, + wantSecrets: []string{"GITHUB_TOKEN"}, + }, + { + name: "manifest with leading spaces in comment", + content: `# gh-aw-manifest: {"version":1,"secrets":[],"actions":[]}`, + wantVersion: 1, + wantSecrets: []string{}, + }, + { + name: "invalid JSON returns error", + content: "# gh-aw-manifest: {invalid json}", + wantErr: true, + }, + { + name: "manifest embedded in multi-line header", + content: `# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"abc"} +# gh-aw-manifest: {"version":1,"secrets":["FOO"],"actions":[]} +name: my-workflow`, + wantVersion: 1, + wantSecrets: []string{"FOO"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + m, err := ExtractGHAWManifestFromLockFile(tt.content) + if tt.wantErr { + assert.Error(t, err, "expected error") + return + } + require.NoError(t, err, "unexpected error") + if tt.wantNil { + assert.Nil(t, m, "expected nil manifest") + return + } + require.NotNil(t, m, "manifest should not be nil") + assert.Equal(t, tt.wantVersion, m.Version, "manifest version") + assert.Equal(t, tt.wantSecrets, m.Secrets, "manifest secrets") + }) + } +} + +func TestNormalizeSecretName(t *testing.T) { + tests := []struct { + input string + want string + }{ + {"GITHUB_TOKEN", "GITHUB_TOKEN"}, + {"secrets.GITHUB_TOKEN", "GITHUB_TOKEN"}, + {"MY_SECRET", "MY_SECRET"}, + {"secrets.MY_SECRET", "MY_SECRET"}, + } + for _, tt := range tests { + t.Run(tt.input, func(t *testing.T) { + assert.Equal(t, tt.want, normalizeSecretName(tt.input), "normalized secret name") + }) + } +} + +func TestParseActionRefs(t *testing.T) { + tests := []struct { + name string + refs []string + wantLen int + check func(t *testing.T, actions []GHAWManifestAction) + }{ + { + name: "empty refs", + refs: nil, + wantLen: 0, + }, + { + name: "ref with SHA and version comment", + refs: []string{"actions/checkout@abc1234 # v4"}, + check: func(t *testing.T, actions []GHAWManifestAction) { + require.Len(t, actions, 1, "expected 1 action") + assert.Equal(t, "actions/checkout", actions[0].Repo, "repo") + assert.Equal(t, "abc1234", actions[0].SHA, "sha") + assert.Equal(t, "v4", actions[0].Version, "version") + }, + }, + { + name: "ref without comment uses sha as version", + refs: []string{"actions/checkout@v4"}, + check: func(t *testing.T, actions []GHAWManifestAction) { + require.Len(t, actions, 1, "expected 1 action") + assert.Equal(t, "actions/checkout", actions[0].Repo, "repo") + assert.Equal(t, "v4", actions[0].SHA, "sha") + assert.Equal(t, "v4", actions[0].Version, "version (same as sha when no comment)") + }, + }, + { + name: "ref without @ is skipped", + refs: []string{"actions/checkout"}, + check: func(t *testing.T, actions []GHAWManifestAction) { + assert.Empty(t, actions, "action without @ should be skipped") + }, + }, + { + name: "duplicate refs deduplicated", + refs: []string{ + "actions/checkout@abc123 # v4", + "actions/checkout@abc123 # v4", + }, + check: func(t *testing.T, actions []GHAWManifestAction) { + assert.Len(t, actions, 1, "duplicates should be removed") + }, + }, + { + name: "actions sorted by repo then sha", + refs: []string{ + "z-org/z-action@sha2", + "a-org/a-action@sha1", + }, + check: func(t *testing.T, actions []GHAWManifestAction) { + require.Len(t, actions, 2, "expected 2 actions") + assert.Equal(t, "a-org/a-action", actions[0].Repo, "first action repo") + assert.Equal(t, "z-org/z-action", actions[1].Repo, "second action repo") + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + actions := parseActionRefs(tt.refs) + if tt.wantLen > 0 { + assert.Len(t, actions, tt.wantLen, "action count") + } + if tt.check != nil { + tt.check(t, actions) + } + }) + } +}