diff --git a/.github/workflows/labelops-pr-security-scan.lock.yml b/.github/workflows/labelops-pr-security-scan.lock.yml index 89f9e9c1926..bbcc43adfd8 100644 --- a/.github/workflows/labelops-pr-security-scan.lock.yml +++ b/.github/workflows/labelops-pr-security-scan.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"636a346cf305f9bd3a333fdd180ffa87ff8df176d6b95b44bb7bd545201b912b","compiler_version":"v0.76.1","strict":true,"agent_id":"copilot"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"0badf5a43f9b4c078fc6eaed74b5fbb08c507f7707f433b5ffc5cf4d2d9addea","compiler_version":"v0.76.1","strict":true,"agent_id":"copilot"} # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"46d564922b082d0db93244972e8005ea6904ee5f","version":"v0.76.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.55"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.55"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.19"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4","digest":"sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.4@sha256:e3816a476a977cfb836e7d221510011436c654d11861db66ecfd826601aba6a4"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]} # ___ _ _ # / _ \ | | (_) @@ -65,7 +65,8 @@ on: permissions: {} concurrency: - group: "gh-aw-${{ github.workflow }}" + cancel-in-progress: false + group: labelops-pr-security-scan run-name: "PR Tooling Safety Check" @@ -191,21 +192,21 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh" { - cat << 'GH_AW_PROMPT_df1e042d37d12612_EOF' + cat << 'GH_AW_PROMPT_7907a5ffbf75bd73_EOF' - GH_AW_PROMPT_df1e042d37d12612_EOF + GH_AW_PROMPT_7907a5ffbf75bd73_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/repo_memory_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_df1e042d37d12612_EOF' + cat << 'GH_AW_PROMPT_7907a5ffbf75bd73_EOF' Tools: add_comment(max:25), add_labels(max:50), missing_tool, missing_data, noop - GH_AW_PROMPT_df1e042d37d12612_EOF + GH_AW_PROMPT_7907a5ffbf75bd73_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md" - cat << 'GH_AW_PROMPT_df1e042d37d12612_EOF' + cat << 'GH_AW_PROMPT_7907a5ffbf75bd73_EOF' The following GitHub context information is available for this workflow: {{#if github.actor}} @@ -234,12 +235,12 @@ jobs: {{/if}} - GH_AW_PROMPT_df1e042d37d12612_EOF + GH_AW_PROMPT_7907a5ffbf75bd73_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_df1e042d37d12612_EOF' + cat << 'GH_AW_PROMPT_7907a5ffbf75bd73_EOF' {{#runtime-import .github/workflows/labelops-pr-security-scan.md}} - GH_AW_PROMPT_df1e042d37d12612_EOF + GH_AW_PROMPT_7907a5ffbf75bd73_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -465,9 +466,9 @@ jobs: mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_450ea76844541048_EOF' + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_5d417a6af96a1108_EOF' {"add_comment":{"hide_older_comments":true,"max":25,"target":"*"},"add_labels":{"allowed":["AI-Tooling-Check-Scanned-Clean","AI-Tooling-Check-Bypassed","⚠️ Affects-Build-Infra","⚠️ Affects-Compiler-Output","⚠️ Affects-Bootstrap","⚠️ Affects-Restore","⚠️ Affects-Design-Time","⚠️ Affects-Test-Tooling","⚠️ Affects-Agent-Config","⚠️ Suspicious-Prompting","⚠️ Scope-Review-Needed"],"max":50,"target":"*"},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"false"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"report_incomplete":{}} - GH_AW_SAFE_OUTPUTS_CONFIG_450ea76844541048_EOF + GH_AW_SAFE_OUTPUTS_CONFIG_5d417a6af96a1108_EOF - name: Generate Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | @@ -679,7 +680,7 @@ jobs: mkdir -p /home/runner/.copilot GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_47ad2461f6be2b34_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_d4d457ef9db914af_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -723,7 +724,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_47ad2461f6be2b34_EOF + GH_AW_MCP_CONFIG_d4d457ef9db914af_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/labelops-pr-security-scan.md b/.github/workflows/labelops-pr-security-scan.md index a99366c4ebc..227ad950482 100644 --- a/.github/workflows/labelops-pr-security-scan.md +++ b/.github/workflows/labelops-pr-security-scan.md @@ -11,6 +11,10 @@ on: timeout-minutes: 15 +concurrency: + group: labelops-pr-security-scan + cancel-in-progress: false + permissions: read-all network: