diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index d5a05f6b98e..80130e4a1a7 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -65,7 +65,7 @@ "version": "v8.0.0", "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd" }, - "actions/setup-dotnet@v4": { + "actions/setup-dotnet@v4.3.1": { "repo": "actions/setup-dotnet", "version": "v4.3.1", "sha": "67a3573c9a986a3f9c594539f4ab511d57bb3ce9" @@ -80,7 +80,7 @@ "version": "v6.1.0", "sha": "4dc6199c7b1a012772edbd06daecab0f50c9053c" }, - "actions/setup-java@v4": { + "actions/setup-java@v4.8.0": { "repo": "actions/setup-java", "version": "v4.8.0", "sha": "c1e323688fd81a25caa38c78aa6df2d33d3e20d9" diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index fb0510112a6..7bc96415da9 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -674,6 +674,55 @@ jobs: 5. Post results as a discussion 6. Close older daily secrets discussions + ## Report Formatting Guidelines + + ### Header Levels + + **Use h3 (###) or lower for all headers in your report to maintain proper document hierarchy.** + + The discussion title serves as h1, so all content headers should start at h3: + - Use `###` for main sections (e.g., "### 🔐 Secret Usage Overview", "### 🛡️ Security Analysis") + - Use `####` for subsections (e.g., "#### By Secret Type", "#### Anomaly Detection") + - Never use `##` (h2) or `#` (h1) in the report body + + ### Progressive Disclosure + + **Wrap detailed sections in `
Section Name` tags to improve readability and reduce scrolling.** + + This is **critical** for this workflow since we analyze 125+ workflow files. Use collapsible sections for: + - Complete per-workflow secret usage lists + - Full secret reference tables for all 125+ workflows + - Detailed change history showing secret additions/removals + - Raw data extracts and analysis details + + Example: + ```markdown +
+ Per-Workflow Secret Usage + + ### All Workflows with Secrets + + | Workflow | Secret Types | Total References | + |----------|--------------|------------------| + | workflow-1.lock.yml | GITHUB_TOKEN, ANTHROPIC_API_KEY | 8 | + | workflow-2.lock.yml | GITHUB_TOKEN | 3 | + | ... (125+ workflows) | + +
+ ``` + + ### Recommended Report Structure + + For optimal readability, structure your report as follows: + + 1. **Security Summary** (always visible): Total workflows scanned, secret usage overview, critical findings + 2. **Top Secret Types** (always visible): Most commonly used secrets and their distribution + 3. **Security Concerns** (always visible): Anomalies, unusual patterns, potential issues + 4. **Detailed Analysis** (in `
` tags): Complete workflow-by-workflow breakdown + 5. **Recommendations** (always visible): Security best practices and action items + + This structure ensures key security metrics and concerns are immediately visible while keeping detailed per-workflow information collapsed to avoid overwhelming the reader. + ## Current Context - **Repository**: __GH_AW_GITHUB_REPOSITORY__ @@ -823,71 +872,109 @@ jobs: ## Generate Discussion Report - Create a comprehensive markdown report with your findings: + Create a comprehensive markdown report with your findings following the formatting guidelines above. - ### Report Structure + ### Report Template - Use the following template for the discussion post: + Use the following structure for the discussion post. **Remember**: Use h3 (###) or lower for all headers, and wrap detailed sections in `
` tags. ```markdown - # 🔐 Daily Secrets Analysis Report - - **Date**: [Today's Date] - **Workflow Files Analyzed**: [TOTAL_WORKFLOWS] - **Run**: [Link to workflow run] - - ## 📊 Executive Summary + Brief 2-3 paragraph executive summary highlighting key findings: total workflows analyzed, overall secret usage patterns, security posture, and any critical concerns requiring immediate attention. + **Key Metrics**: + - **Workflow Files Analyzed**: [TOTAL_WORKFLOWS] - **Total Secret References**: [SECRET_REFS] (`secrets.*`) - **GitHub Token References**: [TOKEN_REFS] (`github.token`) - **Unique Secret Types**: [SECRET_TYPES] - - **Job-Level Usage**: [JOB_LEVEL] ([percentage]%) - - **Step-Level Usage**: [STEP_LEVEL] ([percentage]%) - ## 🔑 Top 10 Secrets by Usage + ### 🔑 Top Secret Types + + Most commonly used secrets across all workflows: - | Rank | Secret Name | Occurrences | Type | - |------|-------------|-------------|------| - | 1 | GITHUB_TOKEN | [count] | GitHub Token | - | 2 | GH_AW_GITHUB_TOKEN | [count] | GitHub Token | + | Rank | Secret Name | Occurrences | % of Total | + |------|-------------|-------------|------------| + | 1 | GITHUB_TOKEN | [count] | [percentage]% | + | 2 | GH_AW_GITHUB_TOKEN | [count] | [percentage]% | + | 3 | ANTHROPIC_API_KEY | [count] | [percentage]% | | ... | ... | ... | ... | - ## 🛡️ Security Posture + ### 🛡️ Security Posture - ### Protection Mechanisms + #### Protection Mechanisms - ✅ **Redaction System**: [REDACTION_COUNT]/[TOTAL_WORKFLOWS] workflows have redaction steps + ✅ **Redaction System**: [REDACTION_COUNT]/[TOTAL_WORKFLOWS] workflows have redaction steps ([percentage]%) ✅ **Token Cascades**: [CASCADE_COUNT] instances of fallback chains ✅ **Permission Blocks**: [PERMISSION_BLOCKS] explicit permission definitions - ### Security Checks + #### Security Checks [Include results from Step 6 - template injection checks, secrets in outputs, etc.] - ## 📈 Trends + - ✅/⚠️ **Template Injection Risks**: [status and count] + - ✅/⚠️ **Secrets in Outputs**: [status and count] + + ### 🎯 Key Findings + + [Summarize 3-5 important findings, patterns, or anomalies] + + 1. **Finding 1**: Description + 2. **Finding 2**: Description + 3. **Finding 3**: Description + + ### 📈 Trends [If historical data available, show changes from previous day] - - Secret references: [change] + - Secret references: [change with trend indicator] - New secret types: [list any new secrets] - Removed secrets: [list any removed secrets] - ## 🎯 Key Findings +
+ 📊 Detailed Per-Workflow Analysis - [Summarize important findings, patterns, or anomalies] + ### Secret Usage by Workflow - 1. **Finding 1**: Description - 2. **Finding 2**: Description - 3. **Finding 3**: Description + Complete breakdown of secret usage across all 125+ workflow files: + + | Workflow | Secret Types | Total References | Job-Level | Step-Level | + |----------|--------------|------------------|-----------|------------| + | workflow-1.lock.yml | GITHUB_TOKEN, ANTHROPIC_API_KEY | 8 | 2 | 6 | + | workflow-2.lock.yml | GITHUB_TOKEN | 3 | 1 | 2 | + | ... (include all workflows) | + + ### Secret Distribution Details + + #### Job-Level Usage + - **Count**: [JOB_LEVEL] references ([percentage]% of total) + - **Description**: Secrets set at job level via env blocks + + #### Step-Level Usage + - **Count**: [STEP_LEVEL] references ([percentage]% of total) + - **Description**: Secrets set at individual step level + + ### Complete Secret Reference List + + List all unique secrets found and where they are used: + + #### GITHUB_TOKEN + - Used in: [list of workflows] + - Total references: [count] + - Pattern: [job-level/step-level distribution] + + #### [Other Secret Names] + [Similar breakdown for each secret type] + +
- ## 💡 Recommendations + ### 💡 Recommendations [Provide actionable recommendations based on analysis] 1. **Recommendation 1**: Action to take 2. **Recommendation 2**: Action to take + 3. **Recommendation 3**: Action to take - ## 📖 Reference Documentation + ### 📖 Reference Documentation For detailed information about secret usage patterns, see: - Specification: [`specs/secrets-yml.md`](https://github.com/githubnext/gh-aw/blob/main/specs/secrets-yml.md) @@ -896,6 +983,7 @@ jobs: --- **Generated**: [Timestamp] + **Run**: [Link to workflow run] **Workflow**: [Link to this workflow definition] ``` diff --git a/.github/workflows/daily-secrets-analysis.md b/.github/workflows/daily-secrets-analysis.md index b85d44398f4..a39800b855f 100644 --- a/.github/workflows/daily-secrets-analysis.md +++ b/.github/workflows/daily-secrets-analysis.md @@ -45,6 +45,55 @@ Generate a daily report analyzing secret usage in all `.lock.yml` files in the r 5. Post results as a discussion 6. Close older daily secrets discussions +## Report Formatting Guidelines + +### Header Levels + +**Use h3 (###) or lower for all headers in your report to maintain proper document hierarchy.** + +The discussion title serves as h1, so all content headers should start at h3: +- Use `###` for main sections (e.g., "### 🔐 Secret Usage Overview", "### 🛡️ Security Analysis") +- Use `####` for subsections (e.g., "#### By Secret Type", "#### Anomaly Detection") +- Never use `##` (h2) or `#` (h1) in the report body + +### Progressive Disclosure + +**Wrap detailed sections in `
Section Name` tags to improve readability and reduce scrolling.** + +This is **critical** for this workflow since we analyze 125+ workflow files. Use collapsible sections for: +- Complete per-workflow secret usage lists +- Full secret reference tables for all 125+ workflows +- Detailed change history showing secret additions/removals +- Raw data extracts and analysis details + +Example: +```markdown +
+Per-Workflow Secret Usage + +### All Workflows with Secrets + +| Workflow | Secret Types | Total References | +|----------|--------------|------------------| +| workflow-1.lock.yml | GITHUB_TOKEN, ANTHROPIC_API_KEY | 8 | +| workflow-2.lock.yml | GITHUB_TOKEN | 3 | +| ... (125+ workflows) | + +
+``` + +### Recommended Report Structure + +For optimal readability, structure your report as follows: + +1. **Security Summary** (always visible): Total workflows scanned, secret usage overview, critical findings +2. **Top Secret Types** (always visible): Most commonly used secrets and their distribution +3. **Security Concerns** (always visible): Anomalies, unusual patterns, potential issues +4. **Detailed Analysis** (in `
` tags): Complete workflow-by-workflow breakdown +5. **Recommendations** (always visible): Security best practices and action items + +This structure ensures key security metrics and concerns are immediately visible while keeping detailed per-workflow information collapsed to avoid overwhelming the reader. + ## Current Context - **Repository**: ${{ github.repository }} @@ -194,71 +243,109 @@ echo "Stats saved for tomorrow's comparison" ## Generate Discussion Report -Create a comprehensive markdown report with your findings: +Create a comprehensive markdown report with your findings following the formatting guidelines above. -### Report Structure +### Report Template -Use the following template for the discussion post: +Use the following structure for the discussion post. **Remember**: Use h3 (###) or lower for all headers, and wrap detailed sections in `
` tags. ```markdown -# 🔐 Daily Secrets Analysis Report - -**Date**: [Today's Date] -**Workflow Files Analyzed**: [TOTAL_WORKFLOWS] -**Run**: [Link to workflow run] - -## 📊 Executive Summary +Brief 2-3 paragraph executive summary highlighting key findings: total workflows analyzed, overall secret usage patterns, security posture, and any critical concerns requiring immediate attention. +**Key Metrics**: +- **Workflow Files Analyzed**: [TOTAL_WORKFLOWS] - **Total Secret References**: [SECRET_REFS] (`secrets.*`) - **GitHub Token References**: [TOKEN_REFS] (`github.token`) - **Unique Secret Types**: [SECRET_TYPES] -- **Job-Level Usage**: [JOB_LEVEL] ([percentage]%) -- **Step-Level Usage**: [STEP_LEVEL] ([percentage]%) -## 🔑 Top 10 Secrets by Usage +### 🔑 Top Secret Types + +Most commonly used secrets across all workflows: -| Rank | Secret Name | Occurrences | Type | -|------|-------------|-------------|------| -| 1 | GITHUB_TOKEN | [count] | GitHub Token | -| 2 | GH_AW_GITHUB_TOKEN | [count] | GitHub Token | +| Rank | Secret Name | Occurrences | % of Total | +|------|-------------|-------------|------------| +| 1 | GITHUB_TOKEN | [count] | [percentage]% | +| 2 | GH_AW_GITHUB_TOKEN | [count] | [percentage]% | +| 3 | ANTHROPIC_API_KEY | [count] | [percentage]% | | ... | ... | ... | ... | -## 🛡️ Security Posture +### 🛡️ Security Posture -### Protection Mechanisms +#### Protection Mechanisms -✅ **Redaction System**: [REDACTION_COUNT]/[TOTAL_WORKFLOWS] workflows have redaction steps +✅ **Redaction System**: [REDACTION_COUNT]/[TOTAL_WORKFLOWS] workflows have redaction steps ([percentage]%) ✅ **Token Cascades**: [CASCADE_COUNT] instances of fallback chains ✅ **Permission Blocks**: [PERMISSION_BLOCKS] explicit permission definitions -### Security Checks +#### Security Checks [Include results from Step 6 - template injection checks, secrets in outputs, etc.] -## 📈 Trends +- ✅/⚠️ **Template Injection Risks**: [status and count] +- ✅/⚠️ **Secrets in Outputs**: [status and count] + +### 🎯 Key Findings + +[Summarize 3-5 important findings, patterns, or anomalies] + +1. **Finding 1**: Description +2. **Finding 2**: Description +3. **Finding 3**: Description + +### 📈 Trends [If historical data available, show changes from previous day] -- Secret references: [change] +- Secret references: [change with trend indicator] - New secret types: [list any new secrets] - Removed secrets: [list any removed secrets] -## 🎯 Key Findings +
+📊 Detailed Per-Workflow Analysis -[Summarize important findings, patterns, or anomalies] +### Secret Usage by Workflow -1. **Finding 1**: Description -2. **Finding 2**: Description -3. **Finding 3**: Description +Complete breakdown of secret usage across all 125+ workflow files: + +| Workflow | Secret Types | Total References | Job-Level | Step-Level | +|----------|--------------|------------------|-----------|------------| +| workflow-1.lock.yml | GITHUB_TOKEN, ANTHROPIC_API_KEY | 8 | 2 | 6 | +| workflow-2.lock.yml | GITHUB_TOKEN | 3 | 1 | 2 | +| ... (include all workflows) | + +### Secret Distribution Details + +#### Job-Level Usage +- **Count**: [JOB_LEVEL] references ([percentage]% of total) +- **Description**: Secrets set at job level via env blocks + +#### Step-Level Usage +- **Count**: [STEP_LEVEL] references ([percentage]% of total) +- **Description**: Secrets set at individual step level + +### Complete Secret Reference List + +List all unique secrets found and where they are used: + +#### GITHUB_TOKEN +- Used in: [list of workflows] +- Total references: [count] +- Pattern: [job-level/step-level distribution] + +#### [Other Secret Names] +[Similar breakdown for each secret type] + +
-## 💡 Recommendations +### 💡 Recommendations [Provide actionable recommendations based on analysis] 1. **Recommendation 1**: Action to take 2. **Recommendation 2**: Action to take +3. **Recommendation 3**: Action to take -## 📖 Reference Documentation +### 📖 Reference Documentation For detailed information about secret usage patterns, see: - Specification: [`specs/secrets-yml.md`](https://github.com/githubnext/gh-aw/blob/main/specs/secrets-yml.md) @@ -267,6 +354,7 @@ For detailed information about secret usage patterns, see: --- **Generated**: [Timestamp] +**Run**: [Link to workflow run] **Workflow**: [Link to this workflow definition] ``` diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 5a01d25f5ec..42fdffa21fb 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -166,7 +166,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.395 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server @@ -435,7 +435,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.395", + agent_version: "0.0.397", workflow_name: "Agent Container Smoke Test", experimental: false, supports_tools_allowlist: true, @@ -1017,7 +1017,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.395 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/pkg/workflow/data/action_pins.json b/pkg/workflow/data/action_pins.json index d5a05f6b98e..80130e4a1a7 100644 --- a/pkg/workflow/data/action_pins.json +++ b/pkg/workflow/data/action_pins.json @@ -65,7 +65,7 @@ "version": "v8.0.0", "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd" }, - "actions/setup-dotnet@v4": { + "actions/setup-dotnet@v4.3.1": { "repo": "actions/setup-dotnet", "version": "v4.3.1", "sha": "67a3573c9a986a3f9c594539f4ab511d57bb3ce9" @@ -80,7 +80,7 @@ "version": "v6.1.0", "sha": "4dc6199c7b1a012772edbd06daecab0f50c9053c" }, - "actions/setup-java@v4": { + "actions/setup-java@v4.8.0": { "repo": "actions/setup-java", "version": "v4.8.0", "sha": "c1e323688fd81a25caa38c78aa6df2d33d3e20d9"