diff --git a/.changeset/patch-skip-disabled-detection-job-and-include-patches.md b/.changeset/patch-skip-disabled-detection-job-and-include-patches.md new file mode 100644 index 00000000000..94ce838cf61 --- /dev/null +++ b/.changeset/patch-skip-disabled-detection-job-and-include-patches.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Fixed threat detection workflow compilation by skipping the detection job when `threat-detection.engine` is disabled with no custom steps, and by always including `aw-*.patch` files in agent artifacts when threat detection is enabled. diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 9e6db5760f8..e72732d42d1 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -901,6 +901,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 6166461b27b..6fe1c1c71a8 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -843,6 +843,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/agentic-observability-kit.lock.yml b/.github/workflows/agentic-observability-kit.lock.yml index 474464cf855..a3dd611e06b 100644 --- a/.github/workflows/agentic-observability-kit.lock.yml +++ b/.github/workflows/agentic-observability-kit.lock.yml @@ -851,6 +851,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 104be8fa944..ea4d20c875c 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -811,6 +811,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index efba6acec38..27be3a88c71 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -738,6 +738,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index a2421a71444..2014d223df3 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -979,6 +979,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index fb68295897b..546c83d8625 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -787,6 +787,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 5f55caf0219..cf97711096d 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -854,6 +854,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 9f5a1354dc6..eeaa30d5c57 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -803,6 +803,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index d35a8d3545c..c28986b788b 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -771,6 +771,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 6684e39e9e1..aa57fb2c7c5 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -844,7 +844,6 @@ jobs: needs: - activation - agent - - detection - safe_outputs if: always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true') runs-on: ubuntu-slim @@ -954,114 +953,6 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); - detection: - needs: agent - if: always() && needs.agent.result != 'skipped' - runs-on: ubuntu-latest - permissions: - contents: read - outputs: - detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }} - detection_success: ${{ steps.detection_conclusion.outputs.success }} - steps: - - name: Checkout actions folder - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - repository: github/gh-aw - sparse-checkout: | - actions - persist-credentials: false - - name: Setup Scripts - uses: ./actions/setup - with: - destination: ${{ runner.temp }}/gh-aw/actions - - name: Download agent output artifact - id: download-agent-output - continue-on-error: true - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - with: - name: agent - path: /tmp/gh-aw/ - - name: Setup agent output environment variable - id: setup-agent-output-env - if: steps.download-agent-output.outcome == 'success' - run: | - mkdir -p /tmp/gh-aw/ - find "/tmp/gh-aw/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT" - # --- Threat Detection --- - - name: Download container images - run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.25.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.0 ghcr.io/github/gh-aw-firewall/squid:0.25.0 - - name: Check if detection needed - id: detection_guard - if: always() - env: - OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }} - HAS_PATCH: ${{ needs.agent.outputs.has_patch }} - run: | - if [[ -n "$OUTPUT_TYPES" || "$HAS_PATCH" == "true" ]]; then - echo "run_detection=true" >> "$GITHUB_OUTPUT" - echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH" - else - echo "run_detection=false" >> "$GITHUB_OUTPUT" - echo "Detection skipped: no agent outputs or patches to analyze" - fi - - name: Clear MCP configuration for detection - if: always() && steps.detection_guard.outputs.run_detection == 'true' - run: | - rm -f /tmp/gh-aw/mcp-config/mcp-servers.json - rm -f /home/runner/.copilot/mcp-config.json - rm -f "$GITHUB_WORKSPACE/.gemini/settings.json" - - name: Prepare threat detection files - if: always() && steps.detection_guard.outputs.run_detection == 'true' - run: | - mkdir -p /tmp/gh-aw/threat-detection/aw-prompts - cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true - cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null || true - for f in /tmp/gh-aw/aw-*.patch; do - [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true - done - echo "Prepared threat detection files:" - ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true - - name: Setup threat detection - if: always() && steps.detection_guard.outputs.run_detection == 'true' - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - env: - WORKFLOW_NAME: "Changeset Generator" - WORKFLOW_DESCRIPTION: "Automatically creates changeset files when PRs are labeled with 'changeset' or 'smoke' to document changes for release notes" - HAS_PATCH: ${{ needs.agent.outputs.has_patch }} - with: - script: | - const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('${{ runner.temp }}/gh-aw/actions/setup_threat_detection.cjs'); - await main(); - - name: Ensure threat-detection directory and log - if: always() && steps.detection_guard.outputs.run_detection == 'true' - run: | - mkdir -p /tmp/gh-aw/threat-detection - touch /tmp/gh-aw/threat-detection/detection.log - # AI engine disabled for threat detection (engine: false) - - name: Upload threat detection log - if: always() && steps.detection_guard.outputs.run_detection == 'true' - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 - with: - name: detection - path: /tmp/gh-aw/threat-detection/detection.log - if-no-files-found: ignore - - name: Parse and conclude threat detection - id: detection_conclusion - if: always() - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 - env: - RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }} - with: - script: | - const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_threat_detection_results.cjs'); - await main(); - pre_activation: if: > ((github.event.pull_request.base.ref == github.event.repository.default_branch) && (github.event_name != 'pull_request' || @@ -1102,8 +993,7 @@ jobs: needs: - activation - agent - - detection - if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success' + if: (!cancelled()) && needs.agent.result != 'skipped' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 7e58fb911e2..79c4b4571dd 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -941,6 +941,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index ce109c7985e..d40175f69c1 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -814,6 +814,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 1dac4ef744d..be874f1db83 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -736,6 +736,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index dc83ed888ab..01855e044a7 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -826,6 +826,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 777e046c970..78546f6838e 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -788,6 +788,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 4c5308184da..68704877a0a 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -739,6 +739,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 45c26d44d34..355a35f0922 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -783,6 +783,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index ead797664f5..0fb3d6a6310 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -864,6 +864,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index b636ac9ccf5..5a0a904873f 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -794,6 +794,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index aef6783e686..db90b0c1f47 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -914,6 +914,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index f3358e8da99..36551e88aca 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -876,6 +876,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 98e00181346..2d5e156934e 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -813,6 +813,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index e95ab66e9c5..349ca5ffbe6 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -926,6 +926,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index e696679aa69..99764a3ab26 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -740,6 +740,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index d6aaa5c732d..4c09ffb1b4c 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -779,6 +779,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 8a771db175f..b2a1b121250 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -983,6 +983,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index a5b0636a555..60335e27aa3 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -824,6 +824,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index c070c837de4..2015acc32c9 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -900,6 +900,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 2f9696c7980..55369842036 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -799,6 +799,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 49cd6a0e4d8..69bca407eee 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -880,6 +880,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index b2634fc7061..af49ab6c6e7 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -774,6 +774,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 4ea84c9f100..3196fe65b52 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -796,6 +796,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index b2ef1f288a8..ec885f1915c 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -894,6 +894,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index 74c6464e993..f1445f605d3 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -846,6 +846,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-integrity-analysis.lock.yml b/.github/workflows/daily-integrity-analysis.lock.yml index b1b9e8dd13d..34c778e5caf 100644 --- a/.github/workflows/daily-integrity-analysis.lock.yml +++ b/.github/workflows/daily-integrity-analysis.lock.yml @@ -899,6 +899,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index ab5886ed214..fd953a192d3 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -886,6 +886,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index f2dcde0d2eb..4c03d86027f 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -822,6 +822,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 71c9b62d6a7..bdb0390e046 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -902,6 +902,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 3b5f094bec8..06a81a461f8 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -948,6 +948,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index fe8c7be76f7..6974f14c6cf 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -861,6 +861,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 4d83cadf7b5..fb8c2c1b68e 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1336,6 +1336,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index db06f90d0e6..fa5bf1c2b3c 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1259,6 +1259,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 6b97b91b018..4727f6a202d 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -816,6 +816,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 73f8d13541d..91df4beb666 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -931,6 +931,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index d8d44cc1a63..600b408fedf 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -790,6 +790,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 9380a400553..5077c84f1b2 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -765,6 +765,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 585382ea40f..3a3a926c3d7 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -794,6 +794,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 81a5d2c2638..a3b00716bd8 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -773,6 +773,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index b470fef5363..59426acca83 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -777,6 +777,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 7c8c9f330c5..e98257dcd3f 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -786,6 +786,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index b73aba54764..0dd8bc06d17 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -757,6 +757,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index d4d95ec42ba..207c99c0710 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -829,6 +829,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 33d11dc051d..f2511045d63 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -971,6 +971,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 620c8074afa..407945ea6f3 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -834,6 +834,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 786129f88af..6d5aa9b1ce8 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -749,6 +749,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index bee58016568..ab1c564ec51 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -767,6 +767,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index ce5a2da5110..49aa809c7c9 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -841,6 +841,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 07bfcba3835..f4051a00e5d 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -851,6 +851,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index b5e0319bdb5..91d6290728c 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -820,6 +820,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 219da7a5d26..69779e8ae0e 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -784,6 +784,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 1072728da5b..20f790ef520 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -775,6 +775,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index c89da776bb3..33212dbe610 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -803,6 +803,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 8fc9d65d1ea..e5659d308a5 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -857,6 +857,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 0973b006048..8d927a36e0c 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -808,6 +808,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 7adaad27092..ce147237a70 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -867,6 +867,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 4121630ab52..5b0e08e71a1 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -747,6 +747,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 71c6bfe28d6..d092a91233f 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -857,6 +857,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index b0fdf96a8a1..9bc2c49df13 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -816,6 +816,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 837e5276edc..fff29d574d5 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -776,6 +776,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 17dd839d522..42858a0d467 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -852,6 +852,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index bbb3c9148a0..947162fb2fd 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -813,6 +813,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 91fd15605bc..8114f79d474 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -1132,6 +1132,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 9b7e618762c..ba1100008e4 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -732,6 +732,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index aa245cd8d6f..7c5bd7e0045 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -810,6 +810,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 47b5db48732..c4a9b58d18d 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1258,6 +1258,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 685da60185e..d5bc6b2826d 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -822,6 +822,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index f4d01bc72d7..d16102218ab 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -883,6 +883,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index dae19224056..34b564e895f 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -824,6 +824,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 10abb4ac208..d7aed3a851f 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1169,6 +1169,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 3cbf4e4f323..1fd803f24ae 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -905,6 +905,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index c40793946eb..169a1b4bcad 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -882,6 +882,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 10280f4107a..dd846dd973f 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -810,6 +810,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index a228de85ac2..323a16bb40e 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -952,6 +952,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 325638a2ca2..75af16495db 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -893,6 +893,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 9c449a6e55b..6ca7c08ebd8 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -785,6 +785,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 4352205e5e2..d74e1e74312 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -768,6 +768,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 4597c543070..dd5dc5ec702 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -739,6 +739,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index d97d7461fea..b9680c5a2da 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -783,6 +783,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 42d99f05b55..db56b36ba28 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -771,6 +771,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 92716253c7b..f057048ceb7 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -915,6 +915,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 870bee3af14..7e6ed118171 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -810,6 +810,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index bfdc31bba83..aa91d62ac2a 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1058,6 +1058,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index f7e0ed86610..8d0ddc525a2 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -790,6 +790,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index d085d1b5312..e9cdbb687f0 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -928,6 +928,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 5ede2387cf4..632873c4c2b 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -856,6 +856,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 11698b721d0..b10386e6238 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -856,6 +856,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index 1e157723076..046ae323dc4 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -761,6 +761,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 8c317d646d6..d40c27503f6 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -761,6 +761,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index a21ffffd314..5ad06966afe 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -787,6 +787,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index a3ec335b54e..3e325f2d407 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -761,6 +761,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 49aac45862d..abb81fbeaca 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -765,6 +765,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index 76f3bb69dc3..cb6ad67f2bd 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -745,6 +745,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index f0be5c5fa15..84c19815da1 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2220,6 +2220,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 668daecef66..d58ba67df73 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1291,6 +1291,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 79a561e67e9..fe9b01ac370 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1659,6 +1659,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index cf90b500d1f..77449eaf4cf 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1707,6 +1707,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 039f5299d1b..0d14c6c2905 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -994,6 +994,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 8d1cb3cb7fb..a990a8c1d50 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -826,6 +826,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index e9b920fbf13..d16c2191cb6 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -787,6 +787,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index d14ead4c9e2..baa312c8ffd 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -808,6 +808,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index dc3e0c9c607..aa022492567 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -796,6 +796,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index a31f1e3a1fd..11506b27279 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -888,6 +888,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 9859c33b8db..3d69b2ae572 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -893,6 +893,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index b39641f7a38..6f07bc57d17 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -826,6 +826,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index cae48556f5b..1f6bd1f9e95 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -779,6 +779,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 6de4046371c..ca08fb58abf 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -784,6 +784,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 32f609882c3..3ffc861d1c5 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -758,6 +758,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index 2c59eb35a24..c23792a8914 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -721,6 +721,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index d6d22a845a2..c4fdc8b7505 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -781,6 +781,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 5265df0d8ae..3a81df6e856 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -829,6 +829,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 294ee60efbb..2172c009eb9 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -776,6 +776,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index a7bd1754b4a..ba20cd675c6 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -802,6 +802,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 103850eeb85..7558cdc3ebb 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -819,6 +819,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index c9541f186c8..9056c596ee5 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -858,6 +858,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index a56e06fb71e..f8a4fc96c0a 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -823,6 +823,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index b3c3659618e..a5b5be84bbf 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -794,6 +794,7 @@ jobs: /tmp/gh-aw/agent/ /tmp/gh-aw/safeoutputs.jsonl /tmp/gh-aw/agent_output.json + /tmp/gh-aw/aw-*.patch if-no-files-found: ignore - name: Upload firewall audit logs if: always() diff --git a/pkg/workflow/cache.go b/pkg/workflow/cache.go index 1105976dbb5..95353a958c1 100644 --- a/pkg/workflow/cache.go +++ b/pkg/workflow/cache.go @@ -430,7 +430,7 @@ func generateCacheMemorySteps(builder *strings.Builder, data *WorkflowData) { // Use actions/cache/restore for restore-only caches or when threat detection is enabled // When threat detection is enabled, we only restore the cache and defer saving to a separate job after detection // Use actions/cache for normal caches (which auto-saves via post-action) - threatDetectionEnabled := data.SafeOutputs != nil && data.SafeOutputs.ThreatDetection != nil + threatDetectionEnabled := IsDetectionJobEnabled(data.SafeOutputs) useRestoreOnly := cache.RestoreOnly || threatDetectionEnabled var actionName string @@ -531,7 +531,7 @@ func generateCacheMemoryArtifactUpload(builder *strings.Builder, data *WorkflowD // Only upload artifacts when threat detection is enabled (needed for update_cache_memory job) // When threat detection is disabled, cache is saved automatically by actions/cache post-action - threatDetectionEnabled := data.SafeOutputs != nil && data.SafeOutputs.ThreatDetection != nil + threatDetectionEnabled := IsDetectionJobEnabled(data.SafeOutputs) if !threatDetectionEnabled { cacheLog.Print("Skipping cache-memory artifact upload (threat detection disabled)") return diff --git a/pkg/workflow/compiler_artifacts_test.go b/pkg/workflow/compiler_artifacts_test.go index 4a8115e768f..6c6c4b3fec8 100644 --- a/pkg/workflow/compiler_artifacts_test.go +++ b/pkg/workflow/compiler_artifacts_test.go @@ -316,3 +316,64 @@ This workflow should generate a unified artifact upload step that includes the p t.Log("Unified artifact upload step verified successfully (includes prompt)") } + +func TestPatchIncludedInArtifactWhenThreatDetectionEnabled(t *testing.T) { + // When push-to-pull-request-branch is staged, usesPatchesAndCheckouts() returns false. + // But if threat detection is enabled, the detection job needs patches for security + // analysis, so aw-*.patch must still be included in the agent artifact. + tmpDir := testutil.TempDir(t, "patch-artifact-test") + + testContent := `--- +on: workflow_dispatch +permissions: + contents: read + issues: read + pull-requests: read +engine: claude +strict: false +safe-outputs: + push-to-pull-request-branch: + staged: true +--- + +# Test Patch Upload + +Push some changes. +` + + testFile := filepath.Join(tmpDir, "test-workflow.md") + if err := os.WriteFile(testFile, []byte(testContent), 0644); err != nil { + t.Fatal(err) + } + + compiler := NewCompiler() + if err := compiler.CompileWorkflow(testFile); err != nil { + t.Fatalf("Failed to compile workflow: %v", err) + } + + lockFile := stringutil.MarkdownToLockFile(testFile) + lockContent, err := os.ReadFile(lockFile) + if err != nil { + t.Fatalf("Failed to read lock file: %v", err) + } + + lockYAML := string(lockContent) + + // Find the Upload agent artifacts step and verify aw-*.patch is in its paths + uploadIdx := strings.Index(lockYAML, "- name: Upload agent artifacts") + if uploadIdx == -1 { + t.Fatal("Upload agent artifacts step not found") + } + + // Extract the section up to the next step + afterUpload := lockYAML[uploadIdx:] + nextStep := strings.Index(afterUpload[30:], "- name:") + if nextStep == -1 { + nextStep = len(afterUpload) - 30 + } + uploadSection := afterUpload[:30+nextStep] + + if !strings.Contains(uploadSection, "/tmp/gh-aw/aw-*.patch") { + t.Error("Expected '/tmp/gh-aw/aw-*.patch' in unified artifact upload when threat detection is enabled with staged push-to-pull-request-branch") + } +} diff --git a/pkg/workflow/compiler_jobs.go b/pkg/workflow/compiler_jobs.go index 5d5bc3ec6e0..bbef204fc56 100644 --- a/pkg/workflow/compiler_jobs.go +++ b/pkg/workflow/compiler_jobs.go @@ -348,7 +348,7 @@ func (c *Compiler) buildQmdIndexingJobWrapper(data *WorkflowData) error { // buildMemoryManagementJobs builds memory management jobs (push_repo_memory and update_cache_memory). // These jobs handle artifact-based memory persistence to git branches and GitHub Actions cache. func (c *Compiler) buildMemoryManagementJobs(data *WorkflowData) error { - threatDetectionEnabledForSafeJobs := data.SafeOutputs != nil && data.SafeOutputs.ThreatDetection != nil + threatDetectionEnabledForSafeJobs := IsDetectionJobEnabled(data.SafeOutputs) // Build push_repo_memory job if repo-memory is configured pushRepoMemoryJobName, err := c.buildPushRepoMemoryJobWrapper(data, threatDetectionEnabledForSafeJobs) diff --git a/pkg/workflow/compiler_safe_output_jobs.go b/pkg/workflow/compiler_safe_output_jobs.go index b903a1b61a8..2ffcc0f0143 100644 --- a/pkg/workflow/compiler_safe_output_jobs.go +++ b/pkg/workflow/compiler_safe_output_jobs.go @@ -21,8 +21,11 @@ func (c *Compiler) buildSafeOutputsJobs(data *WorkflowData, jobName, markdownPat compilerSafeOutputJobsLog.Print("Building safe outputs jobs") // Detection is always enabled for safe-outputs workflows unless threat-detection is explicitly - // disabled (threat-detection: false). ThreatDetection is nil only when explicitly disabled. - threatDetectionEnabled := data.SafeOutputs.ThreatDetection != nil + // disabled (threat-detection: false) or the engine is disabled with no custom steps + // (threat-detection: { engine: false } with no steps). ThreatDetection is nil only when + // explicitly disabled. When engine is false with no custom steps, the detection job has + // nothing to run so it is skipped entirely. + threatDetectionEnabled := IsDetectionJobEnabled(data.SafeOutputs) // Build the separate detection job. Detection runs by default for all safe-outputs workflows // and is only skipped when ThreatDetection is nil (i.e. threat-detection: false was set). diff --git a/pkg/workflow/compiler_safe_outputs_job.go b/pkg/workflow/compiler_safe_outputs_job.go index 9493ab96914..817c1393a11 100644 --- a/pkg/workflow/compiler_safe_outputs_job.go +++ b/pkg/workflow/compiler_safe_outputs_job.go @@ -35,8 +35,10 @@ func (c *Compiler) buildConsolidatedSafeOutputsJob(data *WorkflowData, mainJobNa // Compute permissions based on configured safe outputs (principle of least privilege) permissions := ComputePermissionsForSafeOutputs(data.SafeOutputs) - // Track whether threat detection job is enabled for step conditions - threatDetectionEnabled := data.SafeOutputs.ThreatDetection != nil + // Track whether threat detection job is enabled for step conditions. + // When the engine is explicitly disabled and there are no custom steps, + // the detection job is skipped entirely (see buildDetectionJob). + threatDetectionEnabled := IsDetectionJobEnabled(data.SafeOutputs) // Note: GitHub App token minting step is added later (after setup/downloads) // to ensure proper step ordering. See insertion logic below. diff --git a/pkg/workflow/compiler_yaml_main_job.go b/pkg/workflow/compiler_yaml_main_job.go index fadfd0a32b6..85c6cfbea0d 100644 --- a/pkg/workflow/compiler_yaml_main_job.go +++ b/pkg/workflow/compiler_yaml_main_job.go @@ -521,7 +521,12 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat // NOTE: Git patch generation has been moved to the safe-outputs MCP server // The patch is now generated when create_pull_request or push_to_pull_request_branch // tools are called, providing immediate error feedback if no changes are present. - if usesPatchesAndCheckouts(data.SafeOutputs) { + // Include patches in the artifact when: + // 1. Safe outputs needs them for checkout (non-staged create_pull_request/push_to_pull_request_branch) + // 2. Threat detection is enabled (detection job needs patches for security analysis, even when the + // safe-output handler is staged and doesn't need checkout itself) + threatDetectionNeedsPatches := IsDetectionJobEnabled(data.SafeOutputs) + if usesPatchesAndCheckouts(data.SafeOutputs) || threatDetectionNeedsPatches { artifactPaths = append(artifactPaths, "/tmp/gh-aw/aw-*.patch") } diff --git a/pkg/workflow/notify_comment.go b/pkg/workflow/notify_comment.go index 3b6d2dfad54..3e3c4cf24e8 100644 --- a/pkg/workflow/notify_comment.go +++ b/pkg/workflow/notify_comment.go @@ -330,7 +330,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa customEnvVars = append(customEnvVars, fmt.Sprintf(" GH_AW_AGENT_CONCLUSION: ${{ needs.%s.result }}\n", mainJobName)) // Pass detection conclusion if threat detection is enabled (in separate detection job) - if data.SafeOutputs.ThreatDetection != nil { + if IsDetectionJobEnabled(data.SafeOutputs) { customEnvVars = append(customEnvVars, fmt.Sprintf(" GH_AW_DETECTION_CONCLUSION: ${{ needs.%s.outputs.detection_conclusion }}\n", constants.DetectionJobName)) notifyCommentLog.Print("Added detection conclusion environment variable to conclusion job") } @@ -438,7 +438,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa // When threat detection is enabled, the conclusion job also depends on the detection job // so that needs.detection.outputs.detection_conclusion is accessible. - if data.SafeOutputs.ThreatDetection != nil { + if IsDetectionJobEnabled(data.SafeOutputs) { needs = append(needs, string(constants.DetectionJobName)) notifyCommentLog.Print("Added detection job dependency to conclusion job") } diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index ef187193261..8a87f5be481 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -19,6 +19,21 @@ type ThreatDetectionConfig struct { RunsOn string `yaml:"runs-on,omitempty"` // Runner override for the detection job } +// HasRunnableDetection reports whether this config will produce a detection job +// that actually executes. Returns false when the engine is disabled and no +// custom steps are configured, since the job would have nothing to run. +func (td *ThreatDetectionConfig) HasRunnableDetection() bool { + return !td.EngineDisabled || len(td.Steps) > 0 +} + +// IsDetectionJobEnabled reports whether a detection job should be created for +// the given safe-outputs configuration. This is the single source of truth +// used by all codepaths that decide whether to create, depend on, or reference +// the detection job. +func IsDetectionJobEnabled(so *SafeOutputsConfig) bool { + return so != nil && so.ThreatDetection != nil && so.ThreatDetection.HasRunnableDetection() +} + // parseThreatDetectionConfig handles threat-detection configuration func (c *Compiler) parseThreatDetectionConfig(outputMap map[string]any) *ThreatDetectionConfig { if configData, exists := outputMap["threat-detection"]; exists { @@ -544,6 +559,15 @@ func (c *Compiler) buildDetectionJob(data *WorkflowData) (*Job, error) { return nil, nil } + // When the engine is explicitly disabled and there are no custom steps, + // there is nothing to run in the detection job — skip it entirely. + // The detection job would only create an empty detection.log and the parser + // would correctly fail with "No THREAT_DETECTION_RESULT found". + if !IsDetectionJobEnabled(data.SafeOutputs) { + threatLog.Print("Threat detection engine disabled with no custom steps, skipping detection job") + return nil, nil + } + var steps []string // Add setup action steps (same as agent job - installs the agentic engine)