diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json
index 828732d7e61..15645cd1268 100644
--- a/.github/aw/actions-lock.json
+++ b/.github/aw/actions-lock.json
@@ -148,6 +148,11 @@
"version": "v6.0.0",
"sha": "030e881283bb7a6894de51c315a6bfe6a94e05cf"
},
+ "docker/setup-buildx-action@v4": {
+ "repo": "docker/setup-buildx-action",
+ "version": "v4",
+ "sha": "d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5"
+ },
"docker/setup-buildx-action@v4.0.0": {
"repo": "docker/setup-buildx-action",
"version": "v4.0.0",
diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml
index e4b1b5fc59c..ac1053ae173 100644
--- a/.github/workflows/developer-docs-consolidator.lock.yml
+++ b/.github/workflows/developer-docs-consolidator.lock.yml
@@ -1,4 +1,4 @@
-# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"a4d6c0e0eea19e818c539ce209737406af302285f0c38fc66e12de384ebfd5a7","strict":true,"agent_id":"claude"}
+# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"2f551d0f93c0fe290cddec96b13eb87b6c71b91fc363a1b51d2ceb35a1de4368","strict":true,"agent_id":"claude"}
# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/cache/save","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"ghcr.io/github/serena-mcp-server:latest","digest":"sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5","pinned_image":"ghcr.io/github/serena-mcp-server:latest@sha256:bf343399e3725c45528f531a230f3a04521d4cdef29f9a5af6282ff0d3c393c5"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
# ___ _ _
# / _ \ | | (_)
@@ -67,8 +67,8 @@
name: "Developer Documentation Consolidator"
on:
schedule:
- - cron: "19 13 * * *"
- # Friendly format: daily (scattered)
+ - cron: "19 13 * * 6"
+ # Friendly format: weekly (scattered)
workflow_dispatch:
inputs:
aw_context:
@@ -210,25 +210,25 @@ jobs:
run: |
bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh"
{
- cat << 'GH_AW_PROMPT_11ae19bf7a59d533_EOF'
+ cat << 'GH_AW_PROMPT_d5fa5c99cbb130c2_EOF'
- GH_AW_PROMPT_11ae19bf7a59d533_EOF
+ GH_AW_PROMPT_d5fa5c99cbb130c2_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/cache_memory_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/repo_memory_prompt.md"
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
- cat << 'GH_AW_PROMPT_11ae19bf7a59d533_EOF'
+ cat << 'GH_AW_PROMPT_d5fa5c99cbb130c2_EOF'
Tools: create_discussion, create_pull_request, missing_tool, missing_data, noop
- GH_AW_PROMPT_11ae19bf7a59d533_EOF
+ GH_AW_PROMPT_d5fa5c99cbb130c2_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_create_pull_request.md"
- cat << 'GH_AW_PROMPT_11ae19bf7a59d533_EOF'
+ cat << 'GH_AW_PROMPT_d5fa5c99cbb130c2_EOF'
- GH_AW_PROMPT_11ae19bf7a59d533_EOF
+ GH_AW_PROMPT_d5fa5c99cbb130c2_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md"
- cat << 'GH_AW_PROMPT_11ae19bf7a59d533_EOF'
+ cat << 'GH_AW_PROMPT_d5fa5c99cbb130c2_EOF'
The following GitHub context information is available for this workflow:
{{#if github.actor}}
@@ -257,9 +257,9 @@ jobs:
{{/if}}
- GH_AW_PROMPT_11ae19bf7a59d533_EOF
+ GH_AW_PROMPT_d5fa5c99cbb130c2_EOF
cat "${RUNNER_TEMP}/gh-aw/prompts/cli_proxy_with_safeoutputs_prompt.md"
- cat << 'GH_AW_PROMPT_11ae19bf7a59d533_EOF'
+ cat << 'GH_AW_PROMPT_d5fa5c99cbb130c2_EOF'
## Serena Code Analysis
@@ -297,7 +297,7 @@ jobs:
{{#runtime-import .github/workflows/shared/reporting.md}}
{{#runtime-import .github/workflows/shared/noop-reminder.md}}
{{#runtime-import .github/workflows/developer-docs-consolidator.md}}
- GH_AW_PROMPT_11ae19bf7a59d533_EOF
+ GH_AW_PROMPT_d5fa5c99cbb130c2_EOF
} > "$GH_AW_PROMPT"
- name: Interpolate variables and render templates
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
@@ -557,9 +557,9 @@ jobs:
mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs"
mkdir -p /tmp/gh-aw/safeoutputs
mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
- cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_a353b88931d048e1_EOF'
+ cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_0f4abc9d17592de4_EOF'
{"create_discussion":{"category":"audits","close_older_discussions":true,"expires":72,"fallback_to_issue":true,"max":1,"title_prefix":"[developer-docs] "},"create_pull_request":{"draft":false,"expires":48,"labels":["documentation","automation"],"max":1,"max_patch_files":100,"max_patch_size":1024,"protect_top_level_dot_folders":true,"protected_files":["package.json","bun.lockb","bunfig.toml","deno.json","deno.jsonc","deno.lock","global.json","NuGet.Config","Directory.Packages.props","mix.exs","mix.lock","go.mod","go.sum","stack.yaml","stack.yaml.lock","pom.xml","build.gradle","build.gradle.kts","settings.gradle","settings.gradle.kts","gradle.properties","package-lock.json","yarn.lock","pnpm-lock.yaml","npm-shrinkwrap.json","requirements.txt","Pipfile","Pipfile.lock","pyproject.toml","setup.py","setup.cfg","Gemfile","Gemfile.lock","uv.lock","CODEOWNERS","DESIGN.md","README.md","CONTRIBUTING.md","CHANGELOG.md","SECURITY.md","CODE_OF_CONDUCT.md","CLAUDE.md","AGENTS.md"],"protected_files_policy":"request_review","title_prefix":"[docs] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"push_repo_memory":{"memories":[{"dir":"/tmp/gh-aw/repo-memory/default","id":"default","max_file_count":100,"max_file_size":102400,"max_patch_size":10240}]},"report_incomplete":{}}
- GH_AW_SAFE_OUTPUTS_CONFIG_a353b88931d048e1_EOF
+ GH_AW_SAFE_OUTPUTS_CONFIG_0f4abc9d17592de4_EOF
- name: Generate Safe Outputs Tools
env:
GH_AW_TOOLS_META_JSON: |
@@ -798,7 +798,7 @@ jobs:
export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GITHUB_AW_OTEL_TRACE_ID -e GITHUB_AW_OTEL_PARENT_SPAN_ID -e OTEL_EXPORTER_OTLP_HEADERS -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.17'
GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)
- cat << GH_AW_MCP_CONFIG_2325e44fc17fd82e_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
+ cat << GH_AW_MCP_CONFIG_c0233e142ad8ebdb_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
{
"mcpServers": {
"safeoutputs": {
@@ -854,7 +854,7 @@ jobs:
}
}
}
- GH_AW_MCP_CONFIG_2325e44fc17fd82e_EOF
+ GH_AW_MCP_CONFIG_c0233e142ad8ebdb_EOF
- name: Mount MCP servers as CLIs
id: mount-mcp-clis
continue-on-error: true
diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml
index 0a1401ad760..2a34e61dd64 100644
--- a/.github/workflows/release.lock.yml
+++ b/.github/workflows/release.lock.yml
@@ -1,5 +1,5 @@
# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"6a6bd39e2339b2b176862a0fceb3dc70c2440fe79b8689f4e476134a57bed33a","strict":true,"agent_id":"copilot"}
-# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"anchore/sbom-action","sha":"e22c389904149dbc22b58101806040fa8d37a610","version":"v0.24.0"},{"repo":"docker/build-push-action","sha":"bcafcacb16a39f128d818304e6c9c0c18556b85f","version":"v7.1.0"},{"repo":"docker/login-action","sha":"4907a6ddec9925e35a0a9e82d7399ccc52663121","version":"v4.1.0"},{"repo":"docker/metadata-action","sha":"80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9","version":"v6"},{"repo":"docker/setup-buildx-action","sha":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd","version":"v4.0.0 (source v4)"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
+# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"anchore/sbom-action","sha":"e22c389904149dbc22b58101806040fa8d37a610","version":"v0.24.0"},{"repo":"docker/build-push-action","sha":"bcafcacb16a39f128d818304e6c9c0c18556b85f","version":"v7.1.0"},{"repo":"docker/login-action","sha":"4907a6ddec9925e35a0a9e82d7399ccc52663121","version":"v4.1.0"},{"repo":"docker/metadata-action","sha":"80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9","version":"v6"},{"repo":"docker/setup-buildx-action","sha":"d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5","version":"v4"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
# ___ _ _
# / _ \ | | (_)
# | |_| | __ _ ___ _ __ | |_ _ ___
@@ -50,7 +50,7 @@
# - docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
# - docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
# - docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
-# - docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 (source v4)
+# - docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
#
# Container images used:
# - ghcr.io/github/gh-aw-firewall/agent:0.25.51
@@ -1372,7 +1372,7 @@ jobs:
env:
RELEASE_TAG: ${{ needs.config.outputs.release_tag }}
- name: Setup Docker Buildx (pre-validation)
- uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 (source v4)
+ uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
- name: Build Docker image (validation only)
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
with:
@@ -1532,7 +1532,7 @@ jobs:
sbom.cdx.json
retention-days: 90
- name: Setup Docker Buildx
- uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 (source v4)
+ uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
- name: Log in to GitHub Container Registry
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
diff --git a/.github/workflows/shared/apm.md b/.github/workflows/shared/apm.md
deleted file mode 100644
index 0b1b35d5e64..00000000000
--- a/.github/workflows/shared/apm.md
+++ /dev/null
@@ -1,344 +0,0 @@
----
-redirect: https://github.com/microsoft/apm/blob/main/.github/workflows/shared/apm.md
-# APM (Agent Package Manager) - Shared Workflow
-# Install Microsoft APM packages in your agentic workflow.
-#
-# This shared workflow normalises packages, single-app inputs, and apps[] (multi-org
-# GitHub App credential groups) into one canonical list of credential groups in an
-# "apm-prep" job, then fans the "apm" job out one matrix replica per group. Each
-# replica mints its own installation token (when an app-id is set), packs only its
-# declared packages with microsoft/apm-action, and uploads a uniquely-named artifact.
-# Pre-agent-steps then download all bundles and restore them in one apm-action call.
-#
-# Source of truth: https://github.com/microsoft/apm/blob/main/.github/workflows/shared/apm.md
-# apm-action pin: microsoft/apm-action@v1.5.0
-# To check whether a vendored copy is current, compare these two lines.
-#
-# Documentation: https://microsoft.github.io/apm/integrations/gh-aw/
-#
-# Three user-facing forms (all valid, additive):
-#
-# 1. Public + default-token packages (no App credentials):
-#
-# imports:
-# - uses: shared/apm.md
-# with:
-# packages:
-# - microsoft/apm-sample-package
-# - github/awesome-copilot/skills/review-and-refactor
-#
-# 2. Single GitHub App (one org) -- canonical shorthand:
-#
-# imports:
-# - uses: shared/apm.md
-# with:
-# app-id: ${{ vars.APP_ID }}
-# private-key: ${{ secrets.APP_PRIVATE_KEY }}
-# owner: my-org
-# packages:
-# - my-org/my-private-skills
-#
-# 3. Multiple GitHub Apps (cross-org):
-#
-# imports:
-# - uses: shared/apm.md
-# with:
-# packages:
-# - microsoft/apm-sample-package
-# apps:
-# - id: acme
-# app-id: ${{ vars.ACME_APP_ID }}
-# private-key: ${{ secrets.ACME_KEY }}
-# owner: acme-org
-# packages:
-# - acme-org/acme-skills/skills/code-review
-# - app-id: ${{ vars.BETA_APP_ID }}
-# private-key: ${{ secrets.BETA_KEY }}
-# owner: beta-org
-# packages:
-# - beta-org/beta-pkg
-
-import-schema:
- packages:
- type: array
- items:
- type: string
- required: false
- description: >
- Public APM packages or packages reachable via the default token cascade
- (GH_AW_PLUGINS_TOKEN, GH_AW_GITHUB_TOKEN, GITHUB_TOKEN). Optional. At
- least one of `packages`, the single-app inputs, or `apps` must be provided.
- Format: owner/repo or owner/repo/path/to/skill.
-
- # Single-app convenience form (canonical shorthand for one-org users)
- app-id:
- type: string
- required: false
- description: >
- GitHub App ID. With `private-key`, mints an installation token for the
- packages listed in `packages:`. For multiple orgs, use `apps:` instead.
- private-key:
- type: string
- required: false
- description: >
- PEM private key matching `app-id`. Required when `app-id` is set. Pass via
- a repository or organization secret.
- owner:
- type: string
- required: false
- description: >
- App installation owner. Defaults to the current repository owner when
- omitted. Only used when `app-id` is set.
- repositories:
- type: string
- required: false
- description: >
- Repositories the minted token is scoped to. Comma- or newline-separated.
- Empty defaults to the calling repo or the App installation default scope.
- Note: literal "*" is NOT a wildcard for actions/create-github-app-token;
- leave empty for org-wide access via App installation config.
-
- # Multi-app form (cross-org)
- apps:
- type: array
- required: false
- description: >
- List of GitHub App credential groups. Each entry mints its own
- installation token and packs its own packages. Use when packages span
- multiple orgs requiring different App installations.
- items:
- type: object
- properties:
- id:
- type: string
- required: false
- description: >
- Stable identifier used for matrix-row and artifact naming.
- Auto-derived from `owner` (slugified) when omitted. Required when
- two entries share the same owner.
- app-id:
- type: string
- required: true
- private-key:
- type: string
- required: true
- owner:
- type: string
- required: false
- repositories:
- type: string
- required: false
- packages:
- type: array
- items:
- type: string
- required: true
-
-jobs:
- apm-prep:
- runs-on: ubuntu-slim
- needs: [activation]
- permissions: {}
- outputs:
- matrix: ${{ steps.compute.outputs.matrix }}
- steps:
- # SECURITY (S3): never echo $groups, $matrix, or any matrix.group.* value
- # in any apm-prep step. private-key is a real secret string here.
- - name: Compute APM credential-group matrix
- id: compute
- env:
- AW_APM_PACKAGES: '${{ github.aw.import-inputs.packages }}'
- AW_APM_APPS: '${{ github.aw.import-inputs.apps }}'
- AW_APM_LEGACY_APP_ID: ${{ github.aw.import-inputs.app-id }}
- AW_APM_LEGACY_PRIVATE_KEY: ${{ github.aw.import-inputs.private-key }}
- AW_APM_LEGACY_OWNER: ${{ github.aw.import-inputs.owner }}
- AW_APM_LEGACY_REPOS: ${{ github.aw.import-inputs.repositories }}
- run: |
- set -euo pipefail
- packages_json=${AW_APM_PACKAGES:-null}
- apps_json=${AW_APM_APPS:-null}
- legacy_id=${AW_APM_LEGACY_APP_ID:-}
-
- groups=$(jq -nc \
- --argjson packages "$packages_json" \
- --argjson apps "$apps_json" \
- --arg legacy_id "$legacy_id" \
- --arg legacy_pk "${AW_APM_LEGACY_PRIVATE_KEY:-}" \
- --arg legacy_owner "${AW_APM_LEGACY_OWNER:-}" \
- --arg legacy_repos "${AW_APM_LEGACY_REPOS:-}" \
- 'def slug(s): s | gsub("[^a-zA-Z0-9-]"; "-") | ascii_downcase | .[0:32];
- def with_id(g):
- g + (if (g.id // "") == "" then {id: ("auto-" + slug(g.owner // "default"))} else {} end);
- [
- (if (($packages // []) | length) > 0 and $legacy_id == ""
- then [{id:"default",("app-id"):"",("private-key"):"",owner:"",repositories:"",packages:$packages}]
- else [] end),
- (if $legacy_id != ""
- then [with_id({id:"legacy",("app-id"):$legacy_id,("private-key"):$legacy_pk,owner:$legacy_owner,repositories:$legacy_repos,packages:($packages // [])})]
- else [] end),
- (($apps // []) | map(with_id(.)))
- ] | add // []')
-
- count=$(echo "$groups" | jq 'length')
- if [ "$count" = "0" ]; then
- echo "::error::shared/apm.md import provided no packages. Add packages: , single-app inputs (app-id + private-key), or apps: in the with: block."
- exit 1
- fi
-
- dups=$(echo "$groups" | jq -r '[.[].id] | group_by(.) | map(select(length > 1) | first) | join(", ")')
- if [ -n "$dups" ]; then
- echo "::error::duplicate apm group ids after auto-derivation: $dups. Set apps[].id explicitly when two entries share the same owner."
- exit 1
- fi
-
- while IFS= read -r id; do
- if ! echo "$id" | grep -Eq '^[a-z0-9-]{1,32}$'; then
- echo "::error::invalid apm group id: '$id' (lowercase alphanumeric and dashes, 1-32 chars). Set apps[].id explicitly."
- exit 1
- fi
- done < <(echo "$groups" | jq -r '.[].id')
-
- # SAFE: emit only id + package-count to logs. Never $groups in full.
- {
- echo "matrix={\"group\":$groups}"
- } >> "$GITHUB_OUTPUT"
- printf "::notice::APM matrix: %d credential group(s)\n" "$count"
- echo "$groups" | jq -r '.[] | " - " + .id + " (" + (.packages | length | tostring) + " package(s))"'
-
- apm:
- runs-on: ubuntu-slim
- needs: [activation, apm-prep]
- permissions: {}
- strategy:
- fail-fast: false
- matrix: ${{ fromJSON(needs.apm-prep.outputs.matrix) }}
- steps:
- - name: Mint installation token
- id: token
- if: ${{ matrix.group.app-id != '' }}
- uses: actions/create-github-app-token@v3.1.1
- with:
- app-id: ${{ matrix.group.app-id }}
- private-key: ${{ matrix.group.private-key }}
- owner: ${{ matrix.group.owner != '' && matrix.group.owner || github.repository_owner }}
- repositories: ${{ matrix.group.repositories }}
- - name: Render package list
- id: list
- env:
- AW_PKG: ${{ toJSON(matrix.group.packages) }}
- run: |
- DEPS=$(echo "$AW_PKG" | jq -r '.[] | "- " + .')
- {
- echo "deps<> "$GITHUB_OUTPUT"
- - name: Pack APM packages
- id: pack
- uses: microsoft/apm-action@v1.5.0
- env:
- GITHUB_TOKEN: ${{ steps.token.outputs.token || secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
- with:
- dependencies: ${{ steps.list.outputs.deps }}
- isolated: 'true'
- pack: 'true'
- archive: 'true'
- target: all
- working-directory: /tmp/gh-aw/apm-workspace
- - name: Rename bundle to group-scoped filename
- id: rename-bundle
- env:
- BUNDLE_SRC: ${{ steps.pack.outputs.bundle-path }}
- GROUP_ID: ${{ matrix.group.id }}
- ARTIFACT_PREFIX: ${{ needs.activation.outputs.artifact_prefix }}
- run: |
- dst="$(dirname "$BUNDLE_SRC")/${ARTIFACT_PREFIX}apm-${GROUP_ID}.tar.gz"
- mv "$BUNDLE_SRC" "$dst"
- echo "bundle-path=$dst" >> "$GITHUB_OUTPUT"
- - name: Upload APM bundle artifact
- if: success()
- uses: actions/upload-artifact@v7.0.1
- with:
- name: ${{ needs.activation.outputs.artifact_prefix }}apm-${{ matrix.group.id }}
- path: ${{ steps.rename-bundle.outputs.bundle-path }}
- retention-days: '1'
-
-pre-agent-steps:
- - name: Download APM bundle artifacts (all groups)
- uses: actions/download-artifact@v8.0.1
- with:
- pattern: ${{ needs.activation.outputs.artifact_prefix }}apm-*
- path: /tmp/gh-aw/apm-bundles
- merge-multiple: false
- - name: Validate downloaded bundles match matrix manifest
- env:
- EXPECTED_MATRIX: ${{ needs.apm-prep.outputs.matrix }}
- ARTIFACT_PREFIX: ${{ needs.activation.outputs.artifact_prefix }}
- run: |
- set -euo pipefail
- mapfile -t expected_names < <(echo "$EXPECTED_MATRIX" | jq -r --arg prefix "$ARTIFACT_PREFIX" '.group | map($prefix + "apm-" + .id) | sort | .[]')
- missing=()
- for name in "${expected_names[@]}"; do
- if ! find /tmp/gh-aw/apm-bundles -maxdepth 2 -name "${name}.tar.gz" | grep -q .; then
- missing+=("$name")
- fi
- done
- if [ ${#missing[@]} -gt 0 ]; then
- echo "::error::missing APM bundles (group did not pack successfully): ${missing[*]}"
- exit 1
- fi
- actual_count=$(find /tmp/gh-aw/apm-bundles -maxdepth 2 -name "${ARTIFACT_PREFIX}apm-*.tar.gz" | wc -l)
- expected_count=${#expected_names[@]}
- if [ "$actual_count" -gt "$expected_count" ]; then
- echo "::error::unexpected APM bundles found: $actual_count file(s) but only $expected_count expected (possible collision)"
- exit 1
- fi
- - name: Build bundle list
- id: bundles
- run: |
- set -euo pipefail
- mapfile -t list < <(find /tmp/gh-aw/apm-bundles -name '*.tar.gz' | sort)
- [ ${#list[@]} -gt 0 ] || { echo '::error::no apm bundles found'; exit 1; }
- printf '%s\n' "${list[@]}" > /tmp/gh-aw/apm-bundle-list.txt
- - name: Restore APM packages (all bundles)
- uses: microsoft/apm-action@v1.5.0
- with:
- bundles-file: /tmp/gh-aw/apm-bundle-list.txt
----
-
-
diff --git a/docs/src/content/docs/reference/dependencies.md b/docs/src/content/docs/reference/dependencies.md
index 06a59c0a06b..9723c0aedd5 100644
--- a/docs/src/content/docs/reference/dependencies.md
+++ b/docs/src/content/docs/reference/dependencies.md
@@ -19,7 +19,7 @@ The canonical source is maintained in [microsoft/apm](https://github.com/microso
gh aw add microsoft/apm/.github/workflows/shared/apm.md --dir shared
```
-Running `gh aw update` will keep your vendored copy in sync with the canonical source. The `shared/apm.md` file declares a `redirect` to the `microsoft/apm` library, so any copy sourced from gh-aw will automatically follow the redirect and rewrite its `source` field to track the canonical location on the next `gh aw update` run.
+Running `gh aw update` will keep your vendored copy in sync with the canonical source.
The canonical version pins `microsoft/apm-action@v1.5.0` and supports multi-org GitHub App authentication (`apps:[]`) and multi-bundle restore.
diff --git a/pkg/cli/add_integration_test.go b/pkg/cli/add_integration_test.go
index 22d4d74aa4d..8bf612c6396 100644
--- a/pkg/cli/add_integration_test.go
+++ b/pkg/cli/add_integration_test.go
@@ -930,9 +930,8 @@ func TestAddPublicWorkflowUnauthenticated(t *testing.T) {
require.NoError(t, err, "downloaded workflow file should exist at %s", workflowFile)
}
-// TestAddRemoteWorkflowRedirect verifies that gh aw add follows frontmatter
-// redirects for remote workflows and writes source metadata for the redirected
-// upstream location.
+// TestAddRemoteWorkflowRedirect verifies that gh aw add fetches the canonical
+// APM shared workflow from microsoft/apm and writes correct source metadata.
func TestAddRemoteWorkflowRedirect(t *testing.T) {
setup := setupAddIntegrationTest(t)
defer setup.cleanup()
@@ -952,9 +951,8 @@ func TestAddRemoteWorkflowRedirect(t *testing.T) {
}
}
- // This workflow in github/gh-aw contains redirect frontmatter pointing to
- // microsoft/apm/.github/workflows/shared/apm.md.
- workflowSpec := "github/gh-aw/.github/workflows/shared/apm.md@main"
+ // The canonical APM shared workflow lives in microsoft/apm.
+ workflowSpec := "microsoft/apm/.github/workflows/shared/apm.md@main"
cmd := exec.Command(setup.binaryPath, "add", workflowSpec, "--verbose")
cmd.Dir = setup.tempDir
@@ -964,16 +962,14 @@ func TestAddRemoteWorkflowRedirect(t *testing.T) {
t.Logf("Command output:\n%s", outputStr)
- require.NoError(t, err, "gh aw add should succeed for redirected public workflow: %s", outputStr)
- assert.Contains(t, outputStr, "Workflow redirect:", "verbose output should indicate redirect resolution")
+ require.NoError(t, err, "gh aw add should succeed for canonical APM workflow: %s", outputStr)
workflowFile := filepath.Join(setup.tempDir, ".github", "workflows", "apm.md")
content, err := os.ReadFile(workflowFile)
- require.NoError(t, err, "redirect target workflow should be written")
+ require.NoError(t, err, "canonical APM workflow should be written")
contentStr := string(content)
- assert.Contains(t, contentStr, "source: microsoft/apm/.github/workflows/shared/apm.md@", "source should be pinned to redirected upstream workflow")
- assert.NotContains(t, contentStr, "source: github/gh-aw/.github/workflows/shared/apm.md@", "source should not remain pinned to pre-redirect location")
+ assert.Contains(t, contentStr, "source: microsoft/apm/.github/workflows/shared/apm.md@", "source should be pinned to canonical upstream workflow")
}
// TestAddWorkflowWithDispatchWorkflowDependency tests that when a remote workflow is added