diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index aeab63c49f1..d49eb7ac0a3 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -39,7 +39,7 @@ concurrency: run-name: "ACE Editor Session" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && (github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/ace ') || startsWith(github.event.comment.body, '/ace\n') || github.event.comment.body == '/ace') && github.event.issue.pull_request != null)" runs-on: ubuntu-slim @@ -277,7 +277,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: - activation - post_ace_link @@ -547,7 +547,7 @@ jobs: /tmp/gh-aw/agent/ if-no-files-found: ignore - post_ace_link: + post_ace_link: # zizmor: ignore[secrets-outside-env] needs: activation if: needs.activation.outputs.activated == 'true' runs-on: ubuntu-latest @@ -582,7 +582,7 @@ jobs: body: `šŸ‘‹ Hey @${actor}! Here's your ACE editor session link for this pull request:\n\nšŸ”— **${aceUrl}**\n\nCopy and paste this link into Slack to invite your teammates into the session! šŸš€`, }); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/ace ') || startsWith(github.event.comment.body, '/ace\n') || github.event.comment.body == '/ace') && github.event.issue.pull_request != null" runs-on: ubuntu-slim permissions: diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index b79d5774483..6be671d7b22 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Agent Performance Analyzer - Meta-Orchestrator" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -254,7 +254,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1013,7 +1013,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1132,7 +1132,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1164,7 +1164,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1236,7 +1236,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 78c5a5d2cd6..8a0fb215b21 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Agent Persona Explorer" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -253,7 +253,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -954,7 +954,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1069,7 +1069,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1101,7 +1101,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1180,7 +1180,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 22dc9cedfa8..272bcaca522 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -56,7 +56,7 @@ concurrency: run-name: "AI Moderator" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -292,7 +292,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -786,7 +786,7 @@ jobs: /tmp/gh-aw/agent_output.json if-no-files-found: ignore - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -899,7 +899,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: actions: read @@ -960,7 +960,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_skip_bots.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1043,7 +1043,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - unlock: + unlock: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index abd6c1d5c80..9d84f983791 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -53,7 +53,7 @@ concurrency: run-name: "Archie" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && (github.event_name == 'issues' && (startsWith(github.event.issue.body, '/archie ') || startsWith(github.event.issue.body, '/archie\n') || github.event.issue.body == '/archie') || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/archie ') || startsWith(github.event.comment.body, '/archie\n') || github.event.comment.body == '/archie') && github.event.issue.pull_request == null || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/archie ') || startsWith(github.event.comment.body, '/archie\n') || github.event.comment.body == '/archie') && github.event.issue.pull_request != null || github.event_name == 'pull_request' && (startsWith(github.event.pull_request.body, '/archie ') || startsWith(github.event.pull_request.body, '/archie\n') || github.event.pull_request.body == '/archie'))" runs-on: ubuntu-slim @@ -311,7 +311,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -929,7 +929,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1061,7 +1061,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "github.event_name == 'issues' && (startsWith(github.event.issue.body, '/archie ') || startsWith(github.event.issue.body, '/archie\n') || github.event.issue.body == '/archie') || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/archie ') || startsWith(github.event.comment.body, '/archie\n') || github.event.comment.body == '/archie') && github.event.issue.pull_request == null || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/archie ') || startsWith(github.event.comment.body, '/archie\n') || github.event.comment.body == '/archie') && github.event.issue.pull_request != null || github.event_name == 'pull_request' && (startsWith(github.event.pull_request.body, '/archie ') || startsWith(github.event.pull_request.body, '/archie\n') || github.event.pull_request.body == '/archie')" runs-on: ubuntu-slim permissions: @@ -1105,7 +1105,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index ff9be19a027..4e539b939f6 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Artifacts Summary" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -240,7 +240,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -850,7 +850,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -963,7 +963,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 19221d499dc..b7a39560950 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "Agentic Workflow Audit Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -274,7 +274,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1101,7 +1101,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1225,7 +1225,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1297,7 +1297,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1377,7 +1377,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1420,7 +1420,7 @@ jobs: key: trending-data-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 605f0fba71c..8ab9927b2ec 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -47,7 +47,7 @@ concurrency: run-name: "Auto-Triage Issues" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -255,7 +255,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -899,7 +899,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1013,7 +1013,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: actions: read @@ -1061,7 +1061,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_rate_limit.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index b3e785921c2..1e69640a4f7 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Blog Auditor" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -248,7 +248,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -976,7 +976,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1093,7 +1093,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index f0a55a9256e..43483ed6bc1 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -38,7 +38,7 @@ concurrency: run-name: "Bot Detection" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: precompute if: needs.precompute.outputs.action != 'none' runs-on: ubuntu-slim @@ -252,7 +252,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: - activation - precompute @@ -801,7 +801,7 @@ jobs: /tmp/gh-aw/agent_output.json if-no-files-found: ignore - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -912,7 +912,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - precompute: + precompute: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-latest permissions: actions: read @@ -1718,7 +1718,7 @@ jobs: core.setOutput("issue_title", ISSUE_TITLE); core.setOutput("issue_body", issueBody); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' runs-on: ubuntu-slim diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index f99090053bf..7558daae17c 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Brave Web Search Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && (github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/brave ') || startsWith(github.event.comment.body, '/brave\n') || github.event.comment.body == '/brave') && github.event.issue.pull_request == null)" runs-on: ubuntu-slim @@ -300,7 +300,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -921,7 +921,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1053,7 +1053,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/brave ') || startsWith(github.event.comment.body, '/brave\n') || github.event.comment.body == '/brave') && github.event.issue.pull_request == null" runs-on: ubuntu-slim permissions: @@ -1097,7 +1097,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index f04134ee43f..16f83dd9fd1 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Breaking Change Checker" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -246,7 +246,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -883,7 +883,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1000,7 +1000,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1045,7 +1045,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_skip_if_match.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 7da61a07fcc..c71dafdce28 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -48,7 +48,7 @@ concurrency: run-name: "Changeset Generator" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && (((github.event.pull_request.base.ref == github.event.repository.default_branch) && @@ -299,7 +299,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -903,7 +903,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1015,7 +1015,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > ((github.event.pull_request.base.ref == github.event.repository.default_branch) && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id)) && (github.event_name != 'pull_request' || @@ -1051,7 +1051,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index a28482834b5..79040d63842 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "CI Optimization Coach" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -261,7 +261,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -939,7 +939,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1072,7 +1072,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1185,7 +1185,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 6dfad8a2dc7..c6d6a839e26 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -56,7 +56,7 @@ concurrency: run-name: "CI Failure Doctor" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation # zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation if: > @@ -343,7 +343,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1065,7 +1065,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1207,7 +1207,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'failure') || github.event_name == 'pull_request' @@ -1254,7 +1254,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_stop_time.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1341,7 +1341,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index bf001ffcd2d..c0d0d9b7701 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Claude Code User Documentation Review" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -251,7 +251,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -936,7 +936,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1054,7 +1054,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1134,7 +1134,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 7abdc1c4d19..ef8b8d5d7c0 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -38,7 +38,7 @@ concurrency: run-name: "CLI Consistency Checker" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -229,7 +229,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -848,7 +848,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -958,7 +958,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 138ab11c069..29a2dbba748 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "CLI Version Checker" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -254,7 +254,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -948,7 +948,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1059,7 +1059,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1139,7 +1139,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index a6157ba66a4..5a71155e455 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -69,7 +69,7 @@ concurrency: run-name: "/cloclo" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && (github.event_name == 'issues' && (startsWith(github.event.issue.body, '/cloclo ') || startsWith(github.event.issue.body, '/cloclo\n') || github.event.issue.body == '/cloclo') || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/cloclo ') || startsWith(github.event.comment.body, '/cloclo\n') || github.event.comment.body == '/cloclo') && github.event.issue.pull_request == null || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/cloclo ') || startsWith(github.event.comment.body, '/cloclo\n') || github.event.comment.body == '/cloclo') && github.event.issue.pull_request != null || github.event_name == 'pull_request_review_comment' && (startsWith(github.event.comment.body, '/cloclo ') || startsWith(github.event.comment.body, '/cloclo\n') || github.event.comment.body == '/cloclo') || github.event_name == 'pull_request' && (startsWith(github.event.pull_request.body, '/cloclo ') || startsWith(github.event.pull_request.body, '/cloclo\n') || github.event.pull_request.body == '/cloclo') || github.event_name == 'discussion' && (startsWith(github.event.discussion.body, '/cloclo ') || startsWith(github.event.discussion.body, '/cloclo\n') || github.event.discussion.body == '/cloclo') || github.event_name == 'discussion_comment' && (startsWith(github.event.comment.body, '/cloclo ') || startsWith(github.event.comment.body, '/cloclo\n') || github.event.comment.body == '/cloclo') || github.event_name == 'issues' && github.event.label.name == 'cloclo' || github.event_name == 'pull_request' && github.event.label.name == 'cloclo' || github.event_name == 'discussion' && github.event.label.name == 'cloclo')" runs-on: ubuntu-slim @@ -374,7 +374,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1256,7 +1256,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1405,7 +1405,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "github.event_name == 'issues' && (startsWith(github.event.issue.body, '/cloclo ') || startsWith(github.event.issue.body, '/cloclo\n') || github.event.issue.body == '/cloclo') || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/cloclo ') || startsWith(github.event.comment.body, '/cloclo\n') || github.event.comment.body == '/cloclo') && github.event.issue.pull_request == null || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/cloclo ') || startsWith(github.event.comment.body, '/cloclo\n') || github.event.comment.body == '/cloclo') && github.event.issue.pull_request != null || github.event_name == 'pull_request_review_comment' && (startsWith(github.event.comment.body, '/cloclo ') || startsWith(github.event.comment.body, '/cloclo\n') || github.event.comment.body == '/cloclo') || github.event_name == 'pull_request' && (startsWith(github.event.pull_request.body, '/cloclo ') || startsWith(github.event.pull_request.body, '/cloclo\n') || github.event.pull_request.body == '/cloclo') || github.event_name == 'discussion' && (startsWith(github.event.discussion.body, '/cloclo ') || startsWith(github.event.discussion.body, '/cloclo\n') || github.event.discussion.body == '/cloclo') || github.event_name == 'discussion_comment' && (startsWith(github.event.comment.body, '/cloclo ') || startsWith(github.event.comment.body, '/cloclo\n') || github.event.comment.body == '/cloclo') || github.event_name == 'issues' && github.event.label.name == 'cloclo' || github.event_name == 'pull_request' && github.event.label.name == 'cloclo' || github.event_name == 'discussion' && github.event.label.name == 'cloclo'" runs-on: ubuntu-slim permissions: @@ -1449,7 +1449,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1565,7 +1565,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index b3b7333032c..d6cc18303cc 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -41,7 +41,7 @@ concurrency: run-name: "Code Scanning Fixer" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -252,7 +252,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -927,7 +927,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1060,7 +1060,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1105,7 +1105,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_skip_if_match.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1177,7 +1177,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1289,7 +1289,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 253e59dfaa2..85780f07943 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "Code Simplifier" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -255,7 +255,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -875,7 +875,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1008,7 +1008,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1053,7 +1053,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_skip_if_match.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 7388331a379..3dd38107068 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -36,7 +36,7 @@ concurrency: run-name: "Codex GitHub Remote MCP Test" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -228,7 +228,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 1223b4a5b63..78f926d6ec1 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "Commit Changes Analyzer" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -249,7 +249,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -911,7 +911,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1024,7 +1024,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 052c61dc333..17365f37e51 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -38,7 +38,7 @@ concurrency: run-name: "Constraint Solving ā€” Problem of the Day" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -240,7 +240,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -850,7 +850,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -964,7 +964,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1043,7 +1043,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index f40da967781..33cfe85d0ae 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -41,7 +41,7 @@ env: TARGET_REPOSITORY: ${{ vars.TARGET_REPOSITORY || github.repository }} jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -241,7 +241,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -892,7 +892,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1005,7 +1005,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 66738e140bb..da958499807 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -46,7 +46,7 @@ concurrency: run-name: "Copilot Agent PR Analysis" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -275,7 +275,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -986,7 +986,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1105,7 +1105,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1177,7 +1177,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1256,7 +1256,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 1b65229cae5..49ec791f091 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Copilot CLI Deep Research Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -252,7 +252,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -906,7 +906,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1024,7 +1024,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1096,7 +1096,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index fdfea1f848e..7641a9486fd 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -46,7 +46,7 @@ concurrency: run-name: "Daily Copilot PR Merged Report" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -259,7 +259,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1026,7 +1026,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1140,7 +1140,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1219,7 +1219,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 9aca70d0ab0..769669b46f8 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -47,7 +47,7 @@ concurrency: run-name: "Copilot PR Conversation NLP Analysis" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -279,7 +279,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -988,7 +988,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1108,7 +1108,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1180,7 +1180,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1259,7 +1259,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1302,7 +1302,7 @@ jobs: key: copilot-pr-data-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 01ee1d11a15..71e1e9ede64 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -46,7 +46,7 @@ concurrency: run-name: "Copilot PR Prompt Pattern Analysis" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -270,7 +270,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -925,7 +925,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1044,7 +1044,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1116,7 +1116,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1195,7 +1195,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index de7042215b3..142001b5ad0 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -48,7 +48,7 @@ concurrency: run-name: "Copilot Session Insights" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -290,7 +290,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1048,7 +1048,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1168,7 +1168,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1240,7 +1240,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1319,7 +1319,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1362,7 +1362,7 @@ jobs: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 9c5c43916e6..a3e3e06f0bb 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -40,7 +40,7 @@ concurrency: run-name: "Workflow Craft Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && (github.event_name == 'issues' && (startsWith(github.event.issue.body, '/craft ') || startsWith(github.event.issue.body, '/craft\n') || github.event.issue.body == '/craft'))" runs-on: ubuntu-slim @@ -293,7 +293,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -921,7 +921,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1055,7 +1055,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "github.event_name == 'issues' && (startsWith(github.event.issue.body, '/craft ') || startsWith(github.event.issue.body, '/craft\n') || github.event.issue.body == '/craft')" runs-on: ubuntu-slim permissions: @@ -1099,7 +1099,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index bcc70cc3687..cf83e13315d 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Architecture Diagram Generator" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -245,7 +245,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -917,7 +917,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1045,7 +1045,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1159,7 +1159,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 4eef912474d..a1aa284f3fe 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -38,7 +38,7 @@ concurrency: run-name: "Auto-Assign Issue" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -227,7 +227,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -852,7 +852,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -964,7 +964,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index ffeec0d6859..b5e1317c4a5 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -38,7 +38,7 @@ concurrency: run-name: "Daily Choice Type Test" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -233,7 +233,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -901,7 +901,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1014,7 +1014,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1087,7 +1087,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); - test_environment: + test_environment: # zizmor: ignore[secrets-outside-env] name: Test Environment Deployment needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'test_environment') diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 96db6432ff3..56c97a50488 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -67,7 +67,7 @@ concurrency: run-name: "Daily CLI Performance Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && (needs.pre_activation.outputs.has_changes == 'true' || @@ -288,7 +288,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1095,7 +1095,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1216,7 +1216,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1270,7 +1270,7 @@ jobs: core.info(`has_changes=${hasChanges}`); core.setOutput('has_changes', hasChanges ? 'true' : 'false'); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1342,7 +1342,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 47108970880..2efde7d157c 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Daily CLI Tools Exploratory Tester" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -244,7 +244,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -935,7 +935,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1046,7 +1046,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 31d394f02e9..61f2bd6b6ba 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "Daily Code Metrics and Trend Tracking Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -272,7 +272,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1022,7 +1022,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1146,7 +1146,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1218,7 +1218,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1298,7 +1298,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1341,7 +1341,7 @@ jobs: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index 2f56317b7f5..3e4ff04a72c 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Daily Community Attribution Updater" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -257,7 +257,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -938,7 +938,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1071,7 +1071,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1143,7 +1143,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 3c2988661a4..8866fab32cd 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Daily Compiler Quality Check" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -248,7 +248,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -911,7 +911,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1029,7 +1029,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1109,7 +1109,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 3a986caa34c..26794ff7889 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Daily Copilot Token Consumption Report" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -263,7 +263,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -992,7 +992,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1116,7 +1116,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1188,7 +1188,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1268,7 +1268,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1311,7 +1311,7 @@ jobs: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index eb0cb6ff71e..b3fdd59f265 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Daily Documentation Healer" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -256,7 +256,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1152,7 +1152,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1287,7 +1287,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1419,7 +1419,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 64921c4f073..0b1af11e4bb 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Daily Documentation Updater" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -252,7 +252,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1115,7 +1115,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1248,7 +1248,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1361,7 +1361,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 3aa021f6ff1..8d236398f07 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -40,7 +40,7 @@ concurrency: run-name: "Daily Fact About gh-aw" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -288,7 +288,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -872,7 +872,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -982,7 +982,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 4ddb12bc0c5..1c994f3f045 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -46,7 +46,7 @@ concurrency: run-name: "Daily File Diet" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -253,7 +253,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -908,7 +908,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1022,7 +1022,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1067,7 +1067,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_skip_if_match.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index ff9685bdd1a..5cefcff43f6 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Daily Firewall Logs Collector and Reporter" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -255,7 +255,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1005,7 +1005,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1125,7 +1125,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1205,7 +1205,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1248,7 +1248,7 @@ jobs: key: trending-data-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index e5e916ca420..c20962239c9 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Daily Go Function Namer" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -255,7 +255,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -968,7 +968,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1083,7 +1083,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1164,7 +1164,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/daily-integrity-analysis.lock.yml b/.github/workflows/daily-integrity-analysis.lock.yml index 39f719ca10a..a5cec16b7bb 100644 --- a/.github/workflows/daily-integrity-analysis.lock.yml +++ b/.github/workflows/daily-integrity-analysis.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Daily DIFC Integrity-Filtered Events Analyzer" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -257,7 +257,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1010,7 +1010,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1130,7 +1130,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1210,7 +1210,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1253,7 +1253,7 @@ jobs: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index d23734cea1f..f04b7beaa4a 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -48,7 +48,7 @@ concurrency: run-name: "Daily Issues Report Generator" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -277,7 +277,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -973,7 +973,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1092,7 +1092,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1124,7 +1124,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1204,7 +1204,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1247,7 +1247,7 @@ jobs: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 281b2a695f9..7dd2b9034eb 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Daily Malicious Code Scan Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -236,7 +236,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -733,7 +733,7 @@ jobs: /tmp/gh-aw/agent_output.json if-no-files-found: ignore - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -847,7 +847,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index a6a4e6369ba..19afa94052c 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Daily MCP Tool Concurrency Analysis" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -247,7 +247,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -934,7 +934,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1049,7 +1049,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1144,7 +1144,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 1e309e11013..5d6715752a5 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -49,7 +49,7 @@ concurrency: run-name: "Multi-Device Docs Tester" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -261,7 +261,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1025,7 +1025,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1140,7 +1140,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1221,7 +1221,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 154dff0ab62..404133af283 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -46,7 +46,7 @@ concurrency: run-name: "Daily News" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -273,7 +273,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1060,7 +1060,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1184,7 +1184,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1256,7 +1256,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1336,7 +1336,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1379,7 +1379,7 @@ jobs: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index fe98a6c66aa..3e7512b23cc 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Daily Observability Report for AWF Firewall and MCP Gateway" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -249,7 +249,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -959,7 +959,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1076,7 +1076,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1108,7 +1108,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index d4ae04ae8aa..a817b3d155a 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "Daily Project Performance Summary Generator (Using MCP Scripts)" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -260,7 +260,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1447,7 +1447,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1567,7 +1567,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1647,7 +1647,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1690,7 +1690,7 @@ jobs: key: trending-data-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index b4f6c5f39f5..ce66405d2b7 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Daily Regulatory Report Generator" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -247,7 +247,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1370,7 +1370,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1488,7 +1488,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 49f9cc5b609..6e812a9d332 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "Daily Rendering Scripts Verifier" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -263,7 +263,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1061,7 +1061,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1194,7 +1194,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1239,7 +1239,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_skip_if_match.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1352,7 +1352,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index f3aa53bbd12..268d2e2f9a5 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "The Daily Repository Chronicle" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -252,7 +252,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -928,7 +928,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1047,7 +1047,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1127,7 +1127,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1170,7 +1170,7 @@ jobs: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/daily-safe-output-integrator.lock.yml b/.github/workflows/daily-safe-output-integrator.lock.yml index ee8be544a1c..aa25c053bf4 100644 --- a/.github/workflows/daily-safe-output-integrator.lock.yml +++ b/.github/workflows/daily-safe-output-integrator.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Daily Safe Output Integrator" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -240,7 +240,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -896,7 +896,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1028,7 +1028,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 92148bb7531..76e0a5d4dac 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -46,7 +46,7 @@ concurrency: run-name: "Daily Safe Output Tool Optimizer" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -263,7 +263,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1049,7 +1049,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1160,7 +1160,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1205,7 +1205,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_skip_if_match.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1285,7 +1285,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 710230f2369..ee925f1290e 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Daily Safe Outputs Conformance Checker" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -243,7 +243,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -912,7 +912,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1026,7 +1026,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 4e48cfde4c9..07cb9093002 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Daily Secrets Analysis Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -237,7 +237,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -877,7 +877,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -994,7 +994,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index bd8df10150f..44df66a124e 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Daily Security Red Team Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -247,7 +247,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -916,7 +916,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1030,7 +1030,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 6bfcf7024c1..612348a69db 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Daily Semgrep Scan" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -241,7 +241,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -884,7 +884,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -995,7 +995,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 0918708c4a8..e35459c25aa 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Daily Syntax Error Quality Check" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -237,7 +237,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -889,7 +889,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1003,7 +1003,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 0599980ffc5..de6e0cd391b 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Daily Team Evolution Insights" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -243,7 +243,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -908,7 +908,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1025,7 +1025,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index b173f88df3a..26c53872c98 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -50,7 +50,7 @@ concurrency: run-name: "Daily Team Status" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -252,7 +252,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -868,7 +868,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -991,7 +991,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1023,7 +1023,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_stop_time.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index d8ba2d98371..0026c73839d 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -47,7 +47,7 @@ concurrency: run-name: "Daily Testify Uber Super Expert" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -268,7 +268,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -941,7 +941,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1060,7 +1060,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1105,7 +1105,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_skip_if_match.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1177,7 +1177,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index ee0be0508eb..dbbcc4d01e4 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -39,7 +39,7 @@ concurrency: run-name: "Daily Workflow Updater" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -231,7 +231,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -853,7 +853,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -985,7 +985,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 266c2795f04..a205885da20 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Dead Code Removal Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -256,7 +256,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -904,7 +904,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1032,7 +1032,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1077,7 +1077,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_skip_if_match.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1189,7 +1189,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 1636717a7dd..220cb8c4c30 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "DeepReport - Intelligence Gathering Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -277,7 +277,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1069,7 +1069,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1193,7 +1193,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1265,7 +1265,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1347,7 +1347,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1390,7 +1390,7 @@ jobs: key: weekly-issues-data-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 94fce1b65e9..0c89d20925f 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Delight" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -255,7 +255,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -946,7 +946,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1069,7 +1069,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1141,7 +1141,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index cf2b8db260d..27b4e23d0e9 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -42,7 +42,7 @@ concurrency: run-name: "Dependabot Burner" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -244,7 +244,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -860,7 +860,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -971,7 +971,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1003,7 +1003,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index cd95e8709c1..c456a16f0bc 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -42,7 +42,7 @@ concurrency: run-name: "Dependabot Dependency Checker" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -241,7 +241,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -878,7 +878,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -989,7 +989,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index ba8b2d9f5f2..0d534b89ea5 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Dev Hawk" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation # zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation if: > @@ -266,7 +266,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -959,7 +959,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1072,7 +1072,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: ${{ github.event.workflow_run.event == 'workflow_dispatch' }} runs-on: ubuntu-slim permissions: @@ -1105,7 +1105,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 07c95499da0..dbf1ece5e9c 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -38,7 +38,7 @@ concurrency: run-name: "Dev" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -227,7 +227,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -845,7 +845,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -955,7 +955,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 9719f821f79..9786e50092a 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "Developer Documentation Consolidator" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -274,7 +274,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1206,7 +1206,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1342,7 +1342,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1414,7 +1414,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1527,7 +1527,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index bcfb37c9208..fbc0411e188 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Dictation Prompt Generator" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -241,7 +241,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1006,7 +1006,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1133,7 +1133,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index ad1040efe6a..0ddf92cf107 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Discussion Task Miner - Code Quality Improvement Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -253,7 +253,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -930,7 +930,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1052,7 +1052,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1124,7 +1124,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index ded94733bb4..aacd1dacc22 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Documentation Noob Tester" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -244,7 +244,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -896,7 +896,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1010,7 +1010,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1089,7 +1089,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 35d796975da..21739782f57 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -39,7 +39,7 @@ concurrency: run-name: "Draft PR Cleanup" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -230,7 +230,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -887,7 +887,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1000,7 +1000,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 3920e87ba28..2065c821182 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Duplicate Code Detector" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -253,7 +253,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -901,7 +901,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1013,7 +1013,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index be7b15ecb79..09fb05e41c3 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -36,7 +36,7 @@ concurrency: run-name: "Example: Properly Provisioned Permissions" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -226,7 +226,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index d214c0f6568..358f2853581 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Weekly Workflow Analysis" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -242,7 +242,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -979,7 +979,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1092,7 +1092,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 57614fd35b3..66c2a527de6 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "The Great Escapi" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -274,7 +274,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -920,7 +920,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1043,7 +1043,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - post-issue: + post-issue: # zizmor: ignore[secrets-outside-env] needs: agent if: failure() runs-on: ubuntu-latest @@ -1080,7 +1080,7 @@ jobs: labels: ['bug', 'firewall', 'automated'] }); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'firewall-escape-test') @@ -1115,7 +1115,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1186,7 +1186,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1266,7 +1266,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index f53ed556c6c..57821dd7124 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -36,7 +36,7 @@ concurrency: run-name: "Firewall Test Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -228,7 +228,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index 5c289efe541..04fda4374b0 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -42,7 +42,7 @@ concurrency: run-name: "Functional Pragmatist" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -245,7 +245,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -865,7 +865,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -998,7 +998,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index cc6de304be1..4af3c1068de 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "GitHub MCP Structural Analysis" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -255,7 +255,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -989,7 +989,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1104,7 +1104,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1183,7 +1183,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1226,7 +1226,7 @@ jobs: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index a9849882d8c..3090fe4e993 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "GitHub MCP Remote Server Tools Report Generator" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -252,7 +252,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -976,7 +976,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1107,7 +1107,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1220,7 +1220,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index f37898939f8..2bee73d4f75 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -39,7 +39,7 @@ concurrency: run-name: "GitHub Remote MCP Authentication Test" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -240,7 +240,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -858,7 +858,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -972,7 +972,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 4b93531d9b0..dad79887971 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "Glossary Maintainer" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -276,7 +276,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1130,7 +1130,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1264,7 +1264,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1336,7 +1336,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1448,7 +1448,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 3d200d52dc0..b0938167c3d 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Go Fan" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -254,7 +254,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -979,7 +979,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1097,7 +1097,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1177,7 +1177,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 072b6bbf5d5..c34144dbde2 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Go Logger Enhancement" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -251,7 +251,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1140,7 +1140,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1268,7 +1268,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1380,7 +1380,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 138661c9876..f176a1890ed 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Go Pattern Detector" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -250,7 +250,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: - activation - ast_grep @@ -938,7 +938,7 @@ jobs: echo "Detection found issues" fi - ast_grep: + ast_grep: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest outputs: @@ -980,7 +980,7 @@ jobs: echo "::notice::No Go patterns matching json:\"-\" found" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1090,7 +1090,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 49f2d60d775..c969584a7ef 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "GPL Dependency Cleaner (gpclean)" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -249,7 +249,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -887,7 +887,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -999,7 +999,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1079,7 +1079,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index f82a7dc2d51..ffe0a803a87 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -50,7 +50,7 @@ concurrency: run-name: "Grumpy Code Reviewer šŸ”„" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && (((github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment') && (github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/grumpy ') || startsWith(github.event.comment.body, '/grumpy\n') || github.event.comment.body == '/grumpy') && github.event.issue.pull_request != null || github.event_name == 'pull_request_review_comment' && (startsWith(github.event.comment.body, '/grumpy ') || startsWith(github.event.comment.body, '/grumpy\n') || github.event.comment.body == '/grumpy')) || (!(github.event_name == 'issue_comment')) && (!(github.event_name == 'pull_request_review_comment'))) && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id))" runs-on: ubuntu-slim @@ -317,7 +317,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -954,7 +954,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1085,7 +1085,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "((github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment') && (github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/grumpy ') || startsWith(github.event.comment.body, '/grumpy\n') || github.event.comment.body == '/grumpy') && github.event.issue.pull_request != null || github.event_name == 'pull_request_review_comment' && (startsWith(github.event.comment.body, '/grumpy ') || startsWith(github.event.comment.body, '/grumpy\n') || github.event.comment.body == '/grumpy')) || (!(github.event_name == 'issue_comment')) && (!(github.event_name == 'pull_request_review_comment'))) && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id)" runs-on: ubuntu-slim permissions: @@ -1129,7 +1129,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1208,7 +1208,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 342cff66c80..b71fef28060 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -42,7 +42,7 @@ concurrency: run-name: "CI Cleaner" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: check_ci_status if: needs.check_ci_status.outputs.ci_needs_fix == 'true' runs-on: ubuntu-slim @@ -258,7 +258,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: - activation - check_ci_status @@ -915,7 +915,7 @@ jobs: echo "Detection found issues" fi - check_ci_status: + check_ci_status: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-latest permissions: actions: read @@ -970,7 +970,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1105,7 +1105,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 5864ad65b52..16cdfa16fd7 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -39,7 +39,7 @@ concurrency: run-name: "Instructions Janitor" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -244,7 +244,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -961,7 +961,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1089,7 +1089,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1201,7 +1201,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 5694fa08941..041225c32db 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Issue Arborist" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -247,7 +247,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -900,7 +900,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1013,7 +1013,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 27158fb3346..a7632fdb996 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -398,7 +398,7 @@ concurrency: run-name: "Issue Monster" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' && (needs.pre_activation.outputs.has_issues == 'true') runs-on: ubuntu-slim @@ -613,7 +613,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1234,7 +1234,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1350,7 +1350,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1762,7 +1762,7 @@ jobs: core.setOutput('has_issues', 'false'); } - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 5b6d44b7d8c..3553e82d392 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -41,7 +41,7 @@ concurrency: run-name: "Issue Triage Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -240,7 +240,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -841,7 +841,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -953,7 +953,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 9c146112454..5c9953d0ea7 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -39,7 +39,7 @@ concurrency: run-name: "jsweep - JavaScript Unbloater" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -246,7 +246,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -907,7 +907,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1041,7 +1041,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1154,7 +1154,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 66d5618c919..0ef4c9050e2 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -40,7 +40,7 @@ run-name: "Layout Specification Maintainer" # Cache configuration from frontmatter was processed and added to the main job steps jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -238,7 +238,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -894,7 +894,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1027,7 +1027,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 38ee0d0da5f..a79a9c92329 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Lockfile Statistics Analysis Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -249,7 +249,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -932,7 +932,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1046,7 +1046,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1125,7 +1125,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 4de3c8765cd..37cf81ad840 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -58,7 +58,7 @@ concurrency: run-name: "MCP Inspector Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -309,7 +309,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1369,7 +1369,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1486,7 +1486,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - notion_add_comment: + notion_add_comment: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'notion_add_comment') runs-on: ubuntu-latest @@ -1613,7 +1613,7 @@ jobs: } } - post_to_slack_channel: + post_to_slack_channel: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'post_to_slack_channel') runs-on: ubuntu-latest @@ -1754,7 +1754,7 @@ jobs: } } - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1834,7 +1834,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index f1ea0091805..a2154c2b3bd 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -39,7 +39,7 @@ concurrency: run-name: "Mergefest" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && (github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/mergefest ') || startsWith(github.event.comment.body, '/mergefest\n') || github.event.comment.body == '/mergefest') && github.event.issue.pull_request != null)" runs-on: ubuntu-slim @@ -294,7 +294,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -937,7 +937,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1068,7 +1068,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/mergefest ') || startsWith(github.event.comment.body, '/mergefest\n') || github.event.comment.body == '/mergefest') && github.event.issue.pull_request != null" runs-on: ubuntu-slim permissions: @@ -1112,7 +1112,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 492aa8b9d4e..5b1533e39ab 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -39,7 +39,7 @@ concurrency: run-name: "Metrics Collector - Infrastructure Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -249,7 +249,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -629,7 +629,7 @@ jobs: /tmp/gh-aw/agent/ if-no-files-found: ignore - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -661,7 +661,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() runs-on: ubuntu-latest diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 42fabc73d49..b98a8bf3d6e 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "Issue Summary to Notion" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -247,7 +247,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -740,7 +740,7 @@ jobs: /tmp/gh-aw/agent_output.json if-no-files-found: ignore - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -850,7 +850,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - notion_add_comment: + notion_add_comment: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'notion_add_comment') runs-on: ubuntu-latest @@ -977,7 +977,7 @@ jobs: } } - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' runs-on: ubuntu-slim diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 1188c32e2c0..7da060cf47d 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "Organization Health Report" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -258,7 +258,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -931,7 +931,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1047,7 +1047,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1126,7 +1126,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1169,7 +1169,7 @@ jobs: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 4c54c836ba3..ef6842a10c6 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -59,7 +59,7 @@ concurrency: run-name: "Resource Summarizer Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && ((github.event_name == 'issue_comment' || github.event_name == 'issues') && (github.event_name == 'issues' && (startsWith(github.event.issue.body, '/summarize ') || startsWith(github.event.issue.body, '/summarize\n') || github.event.issue.body == '/summarize') || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/summarize ') || startsWith(github.event.comment.body, '/summarize\n') || github.event.comment.body == '/summarize') && github.event.issue.pull_request == null) || (!(github.event_name == 'issue_comment')) && (!(github.event_name == 'issues')))" runs-on: ubuntu-slim @@ -337,7 +337,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -995,7 +995,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1131,7 +1131,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "(github.event_name == 'issue_comment' || github.event_name == 'issues') && (github.event_name == 'issues' && (startsWith(github.event.issue.body, '/summarize ') || startsWith(github.event.issue.body, '/summarize\n') || github.event.issue.body == '/summarize') || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/summarize ') || startsWith(github.event.comment.body, '/summarize\n') || github.event.comment.body == '/summarize') && github.event.issue.pull_request == null) || (!(github.event_name == 'issue_comment')) && (!(github.event_name == 'issues'))" runs-on: ubuntu-slim permissions: @@ -1175,7 +1175,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1258,7 +1258,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index e52d901b4b0..ded5d146388 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Plan Command" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && (github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/plan ') || startsWith(github.event.comment.body, '/plan\n') || github.event.comment.body == '/plan') && github.event.issue.pull_request == null || github.event_name == 'discussion_comment' && (startsWith(github.event.comment.body, '/plan ') || startsWith(github.event.comment.body, '/plan\n') || github.event.comment.body == '/plan'))" runs-on: ubuntu-slim @@ -299,7 +299,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -939,7 +939,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1069,7 +1069,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/plan ') || startsWith(github.event.comment.body, '/plan\n') || github.event.comment.body == '/plan') && github.event.issue.pull_request == null || github.event_name == 'discussion_comment' && (startsWith(github.event.comment.body, '/plan ') || startsWith(github.event.comment.body, '/plan\n') || github.event.comment.body == '/plan')" runs-on: ubuntu-slim permissions: @@ -1113,7 +1113,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index bb2845db60d..3fae111d6de 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -53,7 +53,7 @@ concurrency: run-name: "Poem Bot - A Creative Agentic Workflow" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && (github.event_name == 'issues' && (startsWith(github.event.issue.body, '/poem-bot ') || startsWith(github.event.issue.body, '/poem-bot\n') || github.event.issue.body == '/poem-bot') || !(github.event_name == 'issues'))" runs-on: ubuntu-slim @@ -329,7 +329,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1281,7 +1281,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1432,7 +1432,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "github.event_name == 'issues' && (startsWith(github.event.issue.body, '/poem-bot ') || startsWith(github.event.issue.body, '/poem-bot\n') || github.event.issue.body == '/poem-bot') || !(github.event_name == 'issues')" runs-on: ubuntu-slim permissions: @@ -1476,7 +1476,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1571,7 +1571,7 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('${{ runner.temp }}/gh-aw/actions/create_agent_session.cjs'); await main(); - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1614,7 +1614,7 @@ jobs: key: poem-memory-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 26b0dbbc2c5..1cca72fef5e 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "Automated Portfolio Analyst" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -260,7 +260,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1016,7 +1016,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1136,7 +1136,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1216,7 +1216,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1259,7 +1259,7 @@ jobs: key: trending-data-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 7700077ffa9..4c45b91346a 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -66,7 +66,7 @@ concurrency: run-name: "PR Nitpick Reviewer šŸ”" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && (github.event_name == 'issues' && (startsWith(github.event.issue.body, '/nit ') || startsWith(github.event.issue.body, '/nit\n') || github.event.issue.body == '/nit') || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/nit ') || startsWith(github.event.comment.body, '/nit\n') || github.event.comment.body == '/nit') && github.event.issue.pull_request == null || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/nit ') || startsWith(github.event.comment.body, '/nit\n') || github.event.comment.body == '/nit') && github.event.issue.pull_request != null || github.event_name == 'pull_request_review_comment' && (startsWith(github.event.comment.body, '/nit ') || startsWith(github.event.comment.body, '/nit\n') || github.event.comment.body == '/nit') || github.event_name == 'pull_request' && (startsWith(github.event.pull_request.body, '/nit ') || startsWith(github.event.pull_request.body, '/nit\n') || github.event.pull_request.body == '/nit') || github.event_name == 'discussion' && (startsWith(github.event.discussion.body, '/nit ') || startsWith(github.event.discussion.body, '/nit\n') || github.event.discussion.body == '/nit') || github.event_name == 'discussion_comment' && (startsWith(github.event.comment.body, '/nit ') || startsWith(github.event.comment.body, '/nit\n') || github.event.comment.body == '/nit'))" runs-on: ubuntu-slim @@ -336,7 +336,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1017,7 +1017,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1153,7 +1153,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "github.event_name == 'issues' && (startsWith(github.event.issue.body, '/nit ') || startsWith(github.event.issue.body, '/nit\n') || github.event.issue.body == '/nit') || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/nit ') || startsWith(github.event.comment.body, '/nit\n') || github.event.comment.body == '/nit') && github.event.issue.pull_request == null || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/nit ') || startsWith(github.event.comment.body, '/nit\n') || github.event.comment.body == '/nit') && github.event.issue.pull_request != null || github.event_name == 'pull_request_review_comment' && (startsWith(github.event.comment.body, '/nit ') || startsWith(github.event.comment.body, '/nit\n') || github.event.comment.body == '/nit') || github.event_name == 'pull_request' && (startsWith(github.event.pull_request.body, '/nit ') || startsWith(github.event.pull_request.body, '/nit\n') || github.event.pull_request.body == '/nit') || github.event_name == 'discussion' && (startsWith(github.event.discussion.body, '/nit ') || startsWith(github.event.discussion.body, '/nit\n') || github.event.discussion.body == '/nit') || github.event_name == 'discussion_comment' && (startsWith(github.event.comment.body, '/nit ') || startsWith(github.event.comment.body, '/nit\n') || github.event.comment.body == '/nit')" runs-on: ubuntu-slim permissions: @@ -1197,7 +1197,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1278,7 +1278,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 11837662a73..5c68088ba0c 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -38,7 +38,7 @@ concurrency: run-name: "PR Triage Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -249,7 +249,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -919,7 +919,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1038,7 +1038,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1110,7 +1110,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 228ca4eb3f9..7fb33ce4ef3 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -49,7 +49,7 @@ run-name: "Copilot Agent Prompt Clustering Analysis" # Cache configuration from frontmatter was processed and added to the main job steps jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -268,7 +268,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1074,7 +1074,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1188,7 +1188,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1267,7 +1267,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index cdcc8a6cef6..e2a4ef0a010 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -42,7 +42,7 @@ concurrency: run-name: "Python Data Visualization Generator" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -258,7 +258,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1004,7 +1004,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1120,7 +1120,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1199,7 +1199,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1242,7 +1242,7 @@ jobs: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index e7e0dad6666..29321b09d9a 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -69,7 +69,7 @@ concurrency: run-name: "Q" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && ((github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment') && (github.event_name == 'issues' && (startsWith(github.event.issue.body, '/q ') || startsWith(github.event.issue.body, '/q\n') || github.event.issue.body == '/q') || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/q ') || startsWith(github.event.comment.body, '/q\n') || github.event.comment.body == '/q') && github.event.issue.pull_request == null || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/q ') || startsWith(github.event.comment.body, '/q\n') || github.event.comment.body == '/q') && github.event.issue.pull_request != null || github.event_name == 'pull_request_review_comment' && (startsWith(github.event.comment.body, '/q ') || startsWith(github.event.comment.body, '/q\n') || github.event.comment.body == '/q') || github.event_name == 'pull_request' && (startsWith(github.event.pull_request.body, '/q ') || startsWith(github.event.pull_request.body, '/q\n') || github.event.pull_request.body == '/q') || github.event_name == 'discussion' && (startsWith(github.event.discussion.body, '/q ') || startsWith(github.event.discussion.body, '/q\n') || github.event.discussion.body == '/q') || github.event_name == 'discussion_comment' && (startsWith(github.event.comment.body, '/q ') || startsWith(github.event.comment.body, '/q\n') || github.event.comment.body == '/q')) || (!(github.event_name == 'issues')) && (!(github.event_name == 'issue_comment')) && (!(github.event_name == 'pull_request')) && (!(github.event_name == 'pull_request_review_comment')) && (!(github.event_name == 'discussion')) && (!(github.event_name == 'discussion_comment')))" runs-on: ubuntu-slim @@ -346,7 +346,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1107,7 +1107,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1257,7 +1257,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "(github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment') && (github.event_name == 'issues' && (startsWith(github.event.issue.body, '/q ') || startsWith(github.event.issue.body, '/q\n') || github.event.issue.body == '/q') || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/q ') || startsWith(github.event.comment.body, '/q\n') || github.event.comment.body == '/q') && github.event.issue.pull_request == null || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/q ') || startsWith(github.event.comment.body, '/q\n') || github.event.comment.body == '/q') && github.event.issue.pull_request != null || github.event_name == 'pull_request_review_comment' && (startsWith(github.event.comment.body, '/q ') || startsWith(github.event.comment.body, '/q\n') || github.event.comment.body == '/q') || github.event_name == 'pull_request' && (startsWith(github.event.pull_request.body, '/q ') || startsWith(github.event.pull_request.body, '/q\n') || github.event.pull_request.body == '/q') || github.event_name == 'discussion' && (startsWith(github.event.discussion.body, '/q ') || startsWith(github.event.discussion.body, '/q\n') || github.event.discussion.body == '/q') || github.event_name == 'discussion_comment' && (startsWith(github.event.comment.body, '/q ') || startsWith(github.event.comment.body, '/q\n') || github.event.comment.body == '/q')) || (!(github.event_name == 'issues')) && (!(github.event_name == 'issue_comment')) && (!(github.event_name == 'pull_request')) && (!(github.event_name == 'pull_request_review_comment')) && (!(github.event_name == 'discussion')) && (!(github.event_name == 'discussion_comment'))" runs-on: ubuntu-slim permissions: @@ -1301,7 +1301,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1417,7 +1417,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 28c3ef86bdb..f199c5d2f05 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -48,7 +48,7 @@ concurrency: run-name: "Code Refiner" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -271,7 +271,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -904,7 +904,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1034,7 +1034,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'refine') @@ -1069,7 +1069,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 27ca317782b..c458ccb2838 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -53,7 +53,7 @@ concurrency: run-name: "Release" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -256,7 +256,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: - activation - config @@ -897,7 +897,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1007,7 +1007,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - config: + config: # zizmor: ignore[secrets-outside-env] needs: - activation - pre_activation @@ -1123,7 +1123,7 @@ jobs: core.setOutput('release_tag', releaseTag); console.log(`āœ“ Release tag: ${releaseTag}`); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1155,7 +1155,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - push_tag: + push_tag: # zizmor: ignore[secrets-outside-env] needs: - activation - config @@ -1236,7 +1236,7 @@ jobs: env: RELEASE_TAG: ${{ needs.config.outputs.release_tag }} - release: + release: # zizmor: ignore[secrets-outside-env] needs: - activation - config @@ -1376,7 +1376,7 @@ jobs: sbom: true tags: ${{ steps.meta.outputs.tags }} - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1453,7 +1453,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - sync_actions: + sync_actions: # zizmor: ignore[secrets-outside-env] needs: - activation - config diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 52ec2f2943c..0e85134829d 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -46,7 +46,7 @@ concurrency: run-name: "Repository Audit & Agentic Workflow Opportunity Analyzer" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -255,7 +255,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -880,7 +880,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -998,7 +998,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1077,7 +1077,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index adca8ec1530..1092f2d64ec 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Repository Tree Map Generator" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -241,7 +241,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -850,7 +850,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -964,7 +964,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 87807e1833a..6604eaa21c6 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Repository Quality Improvement Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -252,7 +252,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -894,7 +894,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1009,7 +1009,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1088,7 +1088,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index bb28c735d81..63c1a7129f1 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -46,7 +46,7 @@ concurrency: run-name: "Basic Research Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -253,7 +253,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -883,7 +883,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -997,7 +997,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 430f98f6870..fd8debc5f48 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Safe Output Health Monitor" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -254,7 +254,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1033,7 +1033,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1147,7 +1147,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1226,7 +1226,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 29d3703fd66..d6d0c4b9c23 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Schema Consistency Checker" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -248,7 +248,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -932,7 +932,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1046,7 +1046,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1125,7 +1125,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/schema-feature-coverage.lock.yml b/.github/workflows/schema-feature-coverage.lock.yml index 14f156f58e7..6a3e8b8fcf1 100644 --- a/.github/workflows/schema-feature-coverage.lock.yml +++ b/.github/workflows/schema-feature-coverage.lock.yml @@ -39,7 +39,7 @@ concurrency: run-name: "Schema Feature Coverage Checker" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -245,7 +245,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -853,7 +853,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -980,7 +980,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index f5b058e8423..0564db4c702 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -88,7 +88,7 @@ concurrency: run-name: "Scout" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && ((github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment') && (github.event_name == 'issues' && (startsWith(github.event.issue.body, '/scout ') || startsWith(github.event.issue.body, '/scout\n') || github.event.issue.body == '/scout') || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/scout ') || startsWith(github.event.comment.body, '/scout\n') || github.event.comment.body == '/scout') && github.event.issue.pull_request == null || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/scout ') || startsWith(github.event.comment.body, '/scout\n') || github.event.comment.body == '/scout') && github.event.issue.pull_request != null || github.event_name == 'pull_request_review_comment' && (startsWith(github.event.comment.body, '/scout ') || startsWith(github.event.comment.body, '/scout\n') || github.event.comment.body == '/scout') || github.event_name == 'pull_request' && (startsWith(github.event.pull_request.body, '/scout ') || startsWith(github.event.pull_request.body, '/scout\n') || github.event.pull_request.body == '/scout') || github.event_name == 'discussion' && (startsWith(github.event.discussion.body, '/scout ') || startsWith(github.event.discussion.body, '/scout\n') || github.event.discussion.body == '/scout') || github.event_name == 'discussion_comment' && (startsWith(github.event.comment.body, '/scout ') || startsWith(github.event.comment.body, '/scout\n') || github.event.comment.body == '/scout')) || (!(github.event_name == 'issues')) && (!(github.event_name == 'issue_comment')) && (!(github.event_name == 'pull_request')) && (!(github.event_name == 'pull_request_review_comment')) && (!(github.event_name == 'discussion')) && (!(github.event_name == 'discussion_comment')))" runs-on: ubuntu-slim @@ -384,7 +384,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -770,11 +770,14 @@ jobs: "type": "http", "url": "https://mcp.tavily.com/mcp/", "headers": { - "Authorization": "Bearer ${{ secrets.TAVILY_API_KEY }}" + "Authorization": "Bearer ${TAVILY_API_KEY}" }, "tools": [ "*" ], + "env": { + "TAVILY_API_KEY": "" + }, "guard-policies": { "write-sink": { "accept": [ @@ -1179,7 +1182,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1312,7 +1315,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "(github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment') && (github.event_name == 'issues' && (startsWith(github.event.issue.body, '/scout ') || startsWith(github.event.issue.body, '/scout\n') || github.event.issue.body == '/scout') || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/scout ') || startsWith(github.event.comment.body, '/scout\n') || github.event.comment.body == '/scout') && github.event.issue.pull_request == null || github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/scout ') || startsWith(github.event.comment.body, '/scout\n') || github.event.comment.body == '/scout') && github.event.issue.pull_request != null || github.event_name == 'pull_request_review_comment' && (startsWith(github.event.comment.body, '/scout ') || startsWith(github.event.comment.body, '/scout\n') || github.event.comment.body == '/scout') || github.event_name == 'pull_request' && (startsWith(github.event.pull_request.body, '/scout ') || startsWith(github.event.pull_request.body, '/scout\n') || github.event.pull_request.body == '/scout') || github.event_name == 'discussion' && (startsWith(github.event.discussion.body, '/scout ') || startsWith(github.event.discussion.body, '/scout\n') || github.event.discussion.body == '/scout') || github.event_name == 'discussion_comment' && (startsWith(github.event.comment.body, '/scout ') || startsWith(github.event.comment.body, '/scout\n') || github.event.comment.body == '/scout')) || (!(github.event_name == 'issues')) && (!(github.event_name == 'issue_comment')) && (!(github.event_name == 'pull_request')) && (!(github.event_name == 'pull_request_review_comment')) && (!(github.event_name == 'discussion')) && (!(github.event_name == 'discussion_comment'))" runs-on: ubuntu-slim permissions: @@ -1356,7 +1359,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1439,7 +1442,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 1c52c598f24..3361b97fd7c 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -48,7 +48,7 @@ concurrency: run-name: "Security Compliance Campaign" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -270,7 +270,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -902,7 +902,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1018,7 +1018,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1090,7 +1090,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 05ed232dda7..f40f3590f17 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -47,7 +47,7 @@ concurrency: run-name: "Security Review Agent šŸ”’" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && (github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/security-review ') || startsWith(github.event.comment.body, '/security-review\n') || github.event.comment.body == '/security-review') && github.event.issue.pull_request != null || github.event_name == 'pull_request_review_comment' && (startsWith(github.event.comment.body, '/security-review ') || startsWith(github.event.comment.body, '/security-review\n') || github.event.comment.body == '/security-review'))" runs-on: ubuntu-slim @@ -314,7 +314,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1045,7 +1045,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1177,7 +1177,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/security-review ') || startsWith(github.event.comment.body, '/security-review\n') || github.event.comment.body == '/security-review') && github.event.issue.pull_request != null || github.event_name == 'pull_request_review_comment' && (startsWith(github.event.comment.body, '/security-review ') || startsWith(github.event.comment.body, '/security-review\n') || github.event.comment.body == '/security-review')" runs-on: ubuntu-slim permissions: @@ -1221,7 +1221,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1300,7 +1300,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 61bc5eb5ef0..5b2032b408d 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Semantic Function Refactoring" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -247,7 +247,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -978,7 +978,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1088,7 +1088,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 934df595db2..4ce706c8202 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Sergo - Serena Go Expert" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -254,7 +254,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -978,7 +978,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1096,7 +1096,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1176,7 +1176,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 0377b17fd0f..7bae6bd3279 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -48,7 +48,7 @@ concurrency: run-name: "Slide Deck Maintainer" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -272,7 +272,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -974,7 +974,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1108,7 +1108,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1153,7 +1153,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_skip_if_match.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1266,7 +1266,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index ceda8701af7..7c7b88f1fec 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -42,7 +42,7 @@ concurrency: run-name: "Smoke Agent: all/merged" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -274,7 +274,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -857,7 +857,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -989,7 +989,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'metal') @@ -1024,7 +1024,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index cf1d84ac4e8..55db32ad341 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -42,7 +42,7 @@ concurrency: run-name: "Smoke Agent: all/none" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -274,7 +274,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -857,7 +857,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -989,7 +989,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'metal') @@ -1024,7 +1024,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 9fd4fc5017b..68d2d7a1aaf 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -42,7 +42,7 @@ concurrency: run-name: "Smoke Agent: public/approved" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -274,7 +274,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -883,7 +883,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1017,7 +1017,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'metal') @@ -1052,7 +1052,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 2fe298de080..7602dfd7879 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -42,7 +42,7 @@ concurrency: run-name: "Smoke Agent: public/none" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -274,7 +274,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -857,7 +857,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -989,7 +989,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'metal') @@ -1024,7 +1024,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 5882468c575..1cb66842845 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -42,7 +42,7 @@ concurrency: run-name: "Smoke Agent: scoped/approved" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -274,7 +274,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -861,7 +861,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -993,7 +993,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'metal') @@ -1028,7 +1028,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index 1129e6f57e5..648167535a0 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -42,7 +42,7 @@ concurrency: run-name: "Smoke Call Workflow" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -256,7 +256,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -843,7 +843,7 @@ jobs: echo "Detection found issues" fi - call-smoke-workflow-call: + call-smoke-workflow-call: # zizmor: ignore[secrets-outside-env] needs: safe_outputs if: needs.safe_outputs.outputs.call_workflow_name == 'smoke-workflow-call' permissions: @@ -857,7 +857,7 @@ jobs: task-description: ${{ fromJSON(needs.safe_outputs.outputs.call_workflow_payload).task-description }} secrets: inherit - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -966,7 +966,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'water') @@ -1001,7 +1001,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index bae981e3b31..68c04686869 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -56,7 +56,7 @@ concurrency: run-name: "Smoke Claude" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -679,7 +679,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1936,11 +1936,14 @@ jobs: "type": "http", "url": "https://mcp.tavily.com/mcp/", "headers": { - "Authorization": "Bearer ${{ secrets.TAVILY_API_KEY }}" + "Authorization": "Bearer ${TAVILY_API_KEY}" }, "tools": [ "*" ], + "env": { + "TAVILY_API_KEY": "" + }, "guard-policies": { "write-sink": { "accept": [ @@ -2358,7 +2361,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -2493,7 +2496,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'smoke') @@ -2528,7 +2531,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -2640,7 +2643,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index a8dd260ed4d..69f0954c228 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -49,7 +49,7 @@ concurrency: run-name: "Smoke Codex" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -318,7 +318,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1321,7 +1321,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1454,7 +1454,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'smoke') @@ -1489,7 +1489,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1584,7 +1584,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 44c03493f06..41453a26511 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -48,7 +48,7 @@ concurrency: run-name: "Smoke Copilot ARM64" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -316,7 +316,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-24.04-arm permissions: @@ -1770,7 +1770,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1909,7 +1909,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'water') @@ -1944,7 +1944,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -2031,7 +2031,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - send_slack_message: + send_slack_message: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'send_slack_message') runs-on: ubuntu-latest @@ -2064,7 +2064,7 @@ jobs: echo "No agent output found" fi - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index eafb858e01f..989008394f6 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -53,7 +53,7 @@ concurrency: run-name: "Smoke Copilot" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && (github.event_name == 'pull_request' && github.event.label.name == 'smoke' || @@ -324,7 +324,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1819,7 +1819,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1958,7 +1958,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: github.event_name == 'pull_request' && github.event.label.name == 'smoke' || !(github.event_name == 'pull_request') runs-on: ubuntu-slim permissions: @@ -1991,7 +1991,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -2078,7 +2078,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - send_slack_message: + send_slack_message: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'send_slack_message') runs-on: ubuntu-latest @@ -2111,7 +2111,7 @@ jobs: echo "No agent output found" fi - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 812f75a5401..9d9bbba0680 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Smoke Create Cross-Repo PR" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -280,7 +280,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -960,7 +960,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1108,7 +1108,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'smoke-create-cross-repo-pr') @@ -1143,7 +1143,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 26770516bbb..5f393db6e24 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -49,7 +49,7 @@ concurrency: run-name: "Smoke Gemini" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -311,7 +311,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1085,7 +1085,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1218,7 +1218,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'water') @@ -1253,7 +1253,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1338,7 +1338,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index f297b5367a5..bf814bc5a73 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Smoke Multi PR" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -291,7 +291,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -952,7 +952,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1101,7 +1101,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'smoke-multi-pr') @@ -1136,7 +1136,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index cc381ec7b2c..9a444d4c59a 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -42,7 +42,7 @@ concurrency: run-name: "Smoke Project" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -288,7 +288,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1084,7 +1084,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1233,7 +1233,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'water') @@ -1268,7 +1268,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 348ca072bdf..0c7493fc952 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -42,7 +42,7 @@ concurrency: run-name: "Smoke Temporary ID" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -285,7 +285,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -937,7 +937,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1070,7 +1070,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'water') @@ -1105,7 +1105,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 3d27343bc1a..adf624f18da 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Agent Container Smoke Test" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -274,7 +274,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -898,7 +898,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1031,7 +1031,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'smoke') @@ -1066,7 +1066,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 72dda4ec3ee..e3422f14cdc 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Smoke Update Cross-Repo PR" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: > needs.pre_activation.outputs.activated == 'true' && ((github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && @@ -287,7 +287,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -973,7 +973,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1108,7 +1108,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: > (github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id) && (github.event_name != 'pull_request' || github.event.action != 'labeled' || github.event.label.name == 'smoke-update-cross-repo-pr') @@ -1143,7 +1143,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1263,7 +1263,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index df072929dfe..a0e4a4771b3 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -56,7 +56,7 @@ concurrency: run-name: "Smoke Workflow Call with Inputs" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -289,7 +289,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -920,7 +920,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1031,7 +1031,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1063,7 +1063,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 73efcdcf947..4232cd395e6 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -59,7 +59,7 @@ concurrency: run-name: "Smoke Workflow Call" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -289,7 +289,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -908,7 +908,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1022,7 +1022,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1054,7 +1054,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 249c80f6f27..e49c759d511 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -54,7 +54,7 @@ env: ORGANIZATION: ${{ github.event.inputs.organization || 'github' }} jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -276,7 +276,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -989,7 +989,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1103,7 +1103,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1184,7 +1184,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1227,7 +1227,7 @@ jobs: key: trending-data-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 6714ce122fb..4020bf444e4 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Static Analysis Report" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -250,7 +250,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1015,7 +1015,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1129,7 +1129,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1208,7 +1208,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 9525e89dbc3..6f373f5c613 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -39,7 +39,7 @@ concurrency: run-name: "Step Name Alignment" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -241,7 +241,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -947,7 +947,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1058,7 +1058,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1138,7 +1138,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index f784f7a0b7f..abfd99172fa 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -39,7 +39,7 @@ concurrency: run-name: "Sub-Issue Closer" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -235,7 +235,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -890,7 +890,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1003,7 +1003,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 0883b9806cb..3ef794481e8 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -42,7 +42,7 @@ concurrency: run-name: "Super Linter Report" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -254,7 +254,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: - activation - super_linter @@ -895,7 +895,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1007,7 +1007,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1087,7 +1087,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - super_linter: + super_linter: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1141,7 +1141,7 @@ jobs: path: super-linter.log retention-days: 7 - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index feb7de57b50..00ea54e1d95 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -47,7 +47,7 @@ concurrency: run-name: "Rebuild the documentation after making changes" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -280,7 +280,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1142,7 +1142,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1279,7 +1279,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1351,7 +1351,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1467,7 +1467,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1510,7 +1510,7 @@ jobs: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 6e940166cbd..6305b9b34e6 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Terminal Stylist" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -247,7 +247,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -869,7 +869,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -983,7 +983,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index d2fcd846a28..0c17fab11b9 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -36,7 +36,7 @@ concurrency: run-name: "Test Create PR Error Handling" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -241,7 +241,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -933,7 +933,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1061,7 +1061,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1173,7 +1173,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index b3bb8b769be..4246a078f5f 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -35,7 +35,7 @@ concurrency: run-name: "Test Dispatcher Workflow" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -230,7 +230,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -827,7 +827,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -937,7 +937,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index fa9a8e5c2c8..79f477028fe 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -35,7 +35,7 @@ concurrency: run-name: "Test Project URL Explicit Requirement" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -230,7 +230,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -892,7 +892,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1002,7 +1002,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index 00a24d2b914..c6bd9047857 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -40,7 +40,7 @@ concurrency: run-name: "Test Workflow" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -230,7 +230,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index cf5ebd57dc0..c03b39dc7c0 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -51,7 +51,7 @@ concurrency: run-name: "Tidy" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && (github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/tidy ') || startsWith(github.event.comment.body, '/tidy\n') || github.event.comment.body == '/tidy') && github.event.issue.pull_request != null || !(github.event_name == 'issue_comment'))" runs-on: ubuntu-slim @@ -304,7 +304,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -982,7 +982,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1130,7 +1130,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/tidy ') || startsWith(github.event.comment.body, '/tidy\n') || github.event.comment.body == '/tidy') && github.event.issue.pull_request != null || !(github.event_name == 'issue_comment')" runs-on: ubuntu-slim permissions: @@ -1174,7 +1174,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 747d2c3a20d..d877693b143 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Typist - Go Type Analysis" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -246,7 +246,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -951,7 +951,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1064,7 +1064,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 6d8f99bc9f0..f66f46bcd69 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Ubuntu Actions Image Analyzer" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -250,7 +250,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -897,7 +897,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1030,7 +1030,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1075,7 +1075,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_skip_if_match.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 76519cd3ba7..4170c624608 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -48,7 +48,7 @@ concurrency: run-name: "Documentation Unbloat" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: "needs.pre_activation.outputs.activated == 'true' && (github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/unbloat ') || startsWith(github.event.comment.body, '/unbloat\n') || github.event.comment.body == '/unbloat') && github.event.issue.pull_request != null || !(github.event_name == 'issue_comment'))" runs-on: ubuntu-slim @@ -317,7 +317,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1293,7 +1293,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1443,7 +1443,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/notify_comment_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: "github.event_name == 'issue_comment' && (startsWith(github.event.comment.body, '/unbloat ') || startsWith(github.event.comment.body, '/unbloat\n') || github.event.comment.body == '/unbloat') && github.event.issue.pull_request != null || !(github.event_name == 'issue_comment')" runs-on: ubuntu-slim permissions: @@ -1487,7 +1487,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_command_position.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1603,7 +1603,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1646,7 +1646,7 @@ jobs: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/update-astro.lock.yml b/.github/workflows/update-astro.lock.yml index fa2ecac9f50..d3544d1bae7 100644 --- a/.github/workflows/update-astro.lock.yml +++ b/.github/workflows/update-astro.lock.yml @@ -40,7 +40,7 @@ concurrency: run-name: "Update Astro" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: - check_updates - pre_activation @@ -254,7 +254,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: - activation - check_updates @@ -876,7 +876,7 @@ jobs: echo "Detection found issues" fi - check_updates: + check_updates: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-latest permissions: contents: read @@ -918,7 +918,7 @@ jobs: fi working-directory: ./docs - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1051,7 +1051,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1096,7 +1096,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_skip_if_no_match.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 05bb6290cee..b7ce18c418e 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -45,7 +45,7 @@ concurrency: run-name: "Video Analysis Agent" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -249,7 +249,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -888,7 +888,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -999,7 +999,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 1b45fdab12a..f271171a84e 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Weekly Blog Post Writer" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -264,7 +264,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -1118,7 +1118,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1256,7 +1256,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1328,7 +1328,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index c7fd14ca4f1..71e4b5793da 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -39,7 +39,7 @@ concurrency: run-name: "Weekly Editors Health Check" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -242,7 +242,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -927,7 +927,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1061,7 +1061,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1174,7 +1174,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index c8086875e5e..e0de617138c 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -44,7 +44,7 @@ concurrency: run-name: "Weekly Issue Summary" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -258,7 +258,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -911,7 +911,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1030,7 +1030,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim @@ -1110,7 +1110,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - update_cache_memory: + update_cache_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1153,7 +1153,7 @@ jobs: key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - upload_assets: + upload_assets: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && contains(needs.agent.outputs.output_types, 'upload_asset') runs-on: ubuntu-slim diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 2b1849da6df..68c0dba71a5 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -39,7 +39,7 @@ concurrency: run-name: "Weekly Safe Outputs Specification Review" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -237,7 +237,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -852,7 +852,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -985,7 +985,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_create_pr_error.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index b7d7fcb3eaa..1be7b4cc4a1 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -39,7 +39,7 @@ concurrency: run-name: "Workflow Generator" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' && (startsWith(github.event.issue.title, '[Workflow]')) runs-on: ubuntu-slim @@ -277,7 +277,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -934,7 +934,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1048,7 +1048,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] if: startsWith(github.event.issue.title, '[Workflow]') runs-on: ubuntu-slim permissions: @@ -1097,7 +1097,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_rate_limit.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1197,7 +1197,7 @@ jobs: path: /tmp/gh-aw/safe-output-items.jsonl if-no-files-found: ignore - unlock: + unlock: # zizmor: ignore[secrets-outside-env] needs: - activation - agent diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index c7cd76f29b3..963a0578f2c 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Workflow Health Manager - Meta-Orchestrator" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -259,7 +259,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -969,7 +969,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1087,7 +1087,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -1119,7 +1119,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs'); await main(); - push_repo_memory: + push_repo_memory: # zizmor: ignore[secrets-outside-env] needs: agent if: always() && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-latest @@ -1191,7 +1191,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/push_repo_memory.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 9bf70df76e6..4a3ffc19b9d 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Workflow Normalizer" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -243,7 +243,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -934,7 +934,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1049,7 +1049,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index dad3bb2b5e4..b279d2f67b0 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -43,7 +43,7 @@ concurrency: run-name: "Workflow Skill Extractor" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read @@ -241,7 +241,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -905,7 +905,7 @@ jobs: echo "Detection found issues" fi - conclusion: + conclusion: # zizmor: ignore[secrets-outside-env] needs: - activation - agent @@ -1019,7 +1019,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - safe_outputs: + safe_outputs: # zizmor: ignore[secrets-outside-env] needs: agent if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim diff --git a/pkg/workflow/compiler_test_helpers.go b/pkg/workflow/compiler_test_helpers.go index b71707aa5f5..40d43bc6faf 100644 --- a/pkg/workflow/compiler_test_helpers.go +++ b/pkg/workflow/compiler_test_helpers.go @@ -53,9 +53,14 @@ func extractJobSection(yamlContent, jobName string) string { } if inJob { - // If we hit another job at the same level (starts with " " and ends with ":"), stop - if strings.HasPrefix(line, " ") && strings.HasSuffix(line, ":") && !strings.HasPrefix(line, " ") { - break + // If we hit another job at the same level (starts with " " and ends with ":" or ": #"), + // stop. Job lines now may have inline comments (e.g. " job: # annotation"). + if strings.HasPrefix(line, " ") && !strings.HasPrefix(line, " ") { + // Extract the part before any comment to check for job name + lineWithoutComment, _, _ := strings.Cut(line, " #") + if strings.HasSuffix(strings.TrimSpace(lineWithoutComment), ":") { + break + } } // If we hit the end of jobs section, stop if strings.HasPrefix(line, "jobs:") && i > 0 { diff --git a/pkg/workflow/jobs.go b/pkg/workflow/jobs.go index e189616f2d2..5e0eca6e357 100644 --- a/pkg/workflow/jobs.go +++ b/pkg/workflow/jobs.go @@ -178,7 +178,11 @@ func (jm *JobManager) renderJob(job *Job) string { jobLog.Printf("Rendering job: %s (steps=%d, needs=%d, reusable=%t)", job.Name, len(job.Steps), len(job.Needs), job.Uses != "") var yaml strings.Builder - fmt.Fprintf(&yaml, " %s:\n", job.Name) + // All generated jobs receive a zizmor ignore annotation for secrets-outside-env. + // Secrets in generated workflows are always passed through step-level env: blocks + // (the recommended pattern), but zizmor flags them unless the job has an explicit + // GitHub Actions environment configured. This annotation suppresses those false positives. + fmt.Fprintf(&yaml, " %s: # zizmor: ignore[secrets-outside-env]\n", job.Name) // Add display name if present if job.DisplayName != "" { diff --git a/pkg/workflow/main_job_env_test.go b/pkg/workflow/main_job_env_test.go index db8144ac82e..edaa5079e34 100644 --- a/pkg/workflow/main_job_env_test.go +++ b/pkg/workflow/main_job_env_test.go @@ -163,12 +163,12 @@ This workflow tests that job-level environment variables are properly set for sa t.Logf("Generated lock file content:\n%s", lockContentStr) // Check that the agent job has an env section - if !strings.Contains(lockContentStr, " agent:\n") { + if !strings.Contains(lockContentStr, " agent:") { t.Fatal("Expected 'agent' job to be present") } // Check that the env section exists at job level - agentJobStart := strings.Index(lockContentStr, " agent:\n") + agentJobStart := strings.Index(lockContentStr, " agent:") if agentJobStart == -1 { t.Fatal("Could not find agent job") } @@ -177,7 +177,9 @@ This workflow tests that job-level environment variables are properly set for sa nextJobStart := len(lockContentStr) // Default to end of file lines := strings.Split(lockContentStr[agentJobStart:], "\n") for _, line := range lines[1:] { // Skip the "agent:" line - if strings.HasPrefix(line, " ") && strings.HasSuffix(line, ":") && !strings.HasPrefix(line, " ") { + // Job lines may now have inline comments: strip them before checking for trailing ":" + lineWithoutComment, _, _ := strings.Cut(line, " #") + if strings.HasPrefix(line, " ") && strings.HasSuffix(strings.TrimSpace(lineWithoutComment), ":") && !strings.HasPrefix(line, " ") { nextJobStart = agentJobStart + strings.Index(lockContentStr[agentJobStart:], line) break } diff --git a/pkg/workflow/mcp_config_custom.go b/pkg/workflow/mcp_config_custom.go index e8ce9d208bf..2085b4f8a08 100644 --- a/pkg/workflow/mcp_config_custom.go +++ b/pkg/workflow/mcp_config_custom.go @@ -72,9 +72,11 @@ func renderSharedMCPConfig(yaml *strings.Builder, toolName string, toolConfig ma ) } - // Extract secrets from headers for HTTP MCP tools (copilot engine only) + // Extract secrets from headers for all HTTP MCP tools. + // Secrets are passed via step env: blocks and replaced with shell variable references + // in the generated config to avoid secrets-outside-env zizmor findings. var headerSecrets map[string]string - if mcpConfig.Type == "http" && renderer.RequiresCopilotFields { + if mcpConfig.Type == "http" { headerSecrets = ExtractSecretsFromMap(mcpConfig.Headers) } @@ -355,12 +357,7 @@ func renderSharedMCPConfig(yaml *strings.Builder, toolName string, toolConfig ma yaml.WriteString(", ") } // Replace template expressions with environment variable references for TOML - envValue := mcpConfig.Env[envKey] - // For TOML, we use direct shell variable syntax without backslash - envValue = strings.ReplaceAll(envValue, "${{ secrets.", "${") - envValue = strings.ReplaceAll(envValue, "${{ env.", "${") - envValue = strings.ReplaceAll(envValue, "${{ github.workspace }}", "${GITHUB_WORKSPACE}") - envValue = strings.ReplaceAll(envValue, " }}", "}") + envValue := replaceExpressionsWithShellVars(mcpConfig.Env[envKey]) fmt.Fprintf(yaml, "\"%s\" = \"%s\"", envKey, envValue) } yaml.WriteString(" }\n") @@ -440,7 +437,9 @@ func renderSharedMCPConfig(yaml *strings.Builder, toolName string, toolConfig ma if i > 0 { yaml.WriteString(", ") } - fmt.Fprintf(yaml, "\"%s\" = \"%s\"", headerKey, mcpConfig.Headers[headerKey]) + // Replace secret expressions with ${VAR} for shell expansion in unquoted heredoc + headerValue := replaceExpressionsWithShellVars(mcpConfig.Headers[headerKey]) + fmt.Fprintf(yaml, "\"%s\" = \"%s\"", headerKey, headerValue) } yaml.WriteString(" }\n") } @@ -459,10 +458,20 @@ func renderSharedMCPConfig(yaml *strings.Builder, toolName string, toolConfig ma headerComma = "" } - // Replace secret expressions with env var references for copilot + // Replace secret expressions with env var references for all engines. + // Secrets must be passed via step env: blocks; the config uses shell variable + // syntax so the shell heredoc expands them at runtime. headerValue := mcpConfig.Headers[headerKey] - if renderer.RequiresCopilotFields && len(headerSecrets) > 0 { - headerValue = ReplaceSecretsWithEnvVars(headerValue, headerSecrets) + if len(headerSecrets) > 0 { + if renderer.RequiresCopilotFields { + // Copilot: use \${VAR} ā€“ backslash escapes $ in the heredoc so the + // shell writes "${VAR}" literally; the Copilot MCP framework resolves it. + headerValue = ReplaceSecretsWithEnvVars(headerValue, headerSecrets) + } else { + // Other engines (Claude, Gemini, etc.): use ${VAR} ā€“ the unquoted + // heredoc lets the shell expand the env var set in the step's env: block. + headerValue = replaceExpressionsWithShellVars(headerValue) + } } fmt.Fprintf(yaml, "%s \"%s\": \"%s\"%s\n", renderer.IndentLevel, headerKey, headerValue, headerComma) @@ -536,6 +545,22 @@ func collectHTTPMCPHeaderSecrets(tools map[string]any) map[string]string { return allSecrets } +// replaceExpressionsWithShellVars replaces GitHub Actions template expressions with shell +// variable references for use in unquoted heredocs. +// The shell expands ${VAR} using env vars set in the step's env: block at runtime. +// Examples: +// - "${{ secrets.DD_API_KEY }}" -> "${DD_API_KEY}" +// - "${{ env.SENTRY_HOST }}" -> "${SENTRY_HOST}" +// - "${{ github.workspace }}" -> "${GITHUB_WORKSPACE}" +func replaceExpressionsWithShellVars(value string) string { + result := value + result = strings.ReplaceAll(result, "${{ secrets.", "${") + result = strings.ReplaceAll(result, "${{ env.", "${") + result = strings.ReplaceAll(result, "${{ github.workspace }}", "${GITHUB_WORKSPACE}") + result = strings.ReplaceAll(result, " }}", "}") + return result +} + // getMCPConfig extracts MCP configuration from a tool config and returns a structured MCPServerConfig func getMCPConfig(toolConfig map[string]any, toolName string) (*parser.MCPServerConfig, error) { mcpCustomLog.Printf("Extracting MCP config for tool: %s", toolName) diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden index d857823ec57..c266925c47d 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden @@ -10,7 +10,7 @@ concurrency: run-name: "basic-copilot-test" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -48,7 +48,7 @@ jobs: GH_AW_INFO_STAGED: "false" GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" - GH_AW_INFO_AWF_VERSION: "v0.24.5" + GH_AW_INFO_AWF_VERSION: "v0.25.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" @@ -207,7 +207,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -271,7 +271,7 @@ jobs: env: GH_HOST: github.com - name: Install AWF binary - run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.24.5 + run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -283,7 +283,7 @@ jobs: const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.5 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.5 ghcr.io/github/gh-aw-firewall/squid:0.24.5 ghcr.io/github/gh-aw-mcpg:v0.2.1 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.25.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.0 ghcr.io/github/gh-aw-firewall/squid:0.25.0 ghcr.io/github/gh-aw-mcpg:v0.2.1 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -353,7 +353,7 @@ jobs: set -o pipefail touch /tmp/gh-aw/agent-step-summary.md # shellcheck disable=SC1003 - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.5 --skip-pull --enable-api-proxy \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.25.0 --skip-pull --enable-api-proxy \ -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -488,7 +488,7 @@ jobs: /tmp/gh-aw/agent/ if-no-files-found: ignore - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden index 9f83ac58873..8576f5f1dc1 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -21,7 +21,7 @@ concurrency: run-name: "Smoke Copilot" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -62,7 +62,7 @@ jobs: GH_AW_INFO_STAGED: "false" GH_AW_INFO_ALLOWED_DOMAINS: '["defaults","node","github","playwright"]' GH_AW_INFO_FIREWALL_ENABLED: "true" - GH_AW_INFO_AWF_VERSION: "v0.24.5" + GH_AW_INFO_AWF_VERSION: "v0.25.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" @@ -292,7 +292,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -397,7 +397,7 @@ jobs: env: GH_HOST: github.com - name: Install AWF binary - run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.24.5 + run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -409,7 +409,7 @@ jobs: const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.5 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.5 ghcr.io/github/gh-aw-firewall/squid:0.24.5 ghcr.io/github/gh-aw-mcpg:v0.2.1 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp + run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.25.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.0 ghcr.io/github/gh-aw-firewall/squid:0.25.0 ghcr.io/github/gh-aw-mcpg:v0.2.1 ghcr.io/github/github-mcp-server:v0.32.0 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -553,7 +553,7 @@ jobs: set -o pipefail touch /tmp/gh-aw/agent-step-summary.md # shellcheck disable=SC1003 - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --allow-domains "*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,docs.github.com,esm.sh,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,go.dev,golang.org,googleapis.deno.dev,googlechromelabs.github.io,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,playwright.download.prss.microsoft.com,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,storage.googleapis.com,sum.golang.org,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.5 --skip-pull --enable-api-proxy \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --allow-domains "*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,docs.github.com,esm.sh,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,go.dev,golang.org,googleapis.deno.dev,googlechromelabs.github.io,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,playwright.download.prss.microsoft.com,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,storage.googleapis.com,sum.golang.org,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.25.0 --skip-pull --enable-api-proxy \ -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -688,7 +688,7 @@ jobs: /tmp/gh-aw/agent/ if-no-files-found: ignore - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden index 1ad829fdd49..47a626a7a15 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden @@ -10,7 +10,7 @@ concurrency: run-name: "with-imports-test" jobs: - activation: + activation: # zizmor: ignore[secrets-outside-env] needs: pre_activation if: needs.pre_activation.outputs.activated == 'true' runs-on: ubuntu-slim @@ -48,7 +48,7 @@ jobs: GH_AW_INFO_STAGED: "false" GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' GH_AW_INFO_FIREWALL_ENABLED: "true" - GH_AW_INFO_AWF_VERSION: "v0.24.5" + GH_AW_INFO_AWF_VERSION: "v0.25.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" @@ -210,7 +210,7 @@ jobs: /tmp/gh-aw/aw-prompts/prompt.txt retention-days: 1 - agent: + agent: # zizmor: ignore[secrets-outside-env] needs: activation runs-on: ubuntu-latest permissions: @@ -274,7 +274,7 @@ jobs: env: GH_HOST: github.com - name: Install AWF binary - run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.24.5 + run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.0 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -286,7 +286,7 @@ jobs: const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.5 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.5 ghcr.io/github/gh-aw-firewall/squid:0.24.5 ghcr.io/github/gh-aw-mcpg:v0.2.1 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.25.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.0 ghcr.io/github/gh-aw-firewall/squid:0.25.0 ghcr.io/github/gh-aw-mcpg:v0.2.1 ghcr.io/github/github-mcp-server:v0.32.0 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -356,7 +356,7 @@ jobs: set -o pipefail touch /tmp/gh-aw/agent-step-summary.md # shellcheck disable=SC1003 - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.5 --skip-pull --enable-api-proxy \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.25.0 --skip-pull --enable-api-proxy \ -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -491,7 +491,7 @@ jobs: /tmp/gh-aw/agent/ if-no-files-found: ignore - pre_activation: + pre_activation: # zizmor: ignore[secrets-outside-env] runs-on: ubuntu-slim permissions: contents: read