Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
2 changes: 1 addition & 1 deletion .github/workflows/ab-testing-advisor.lock.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions .github/workflows/ab-testing-advisor.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---
private: true

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Coverage gap: shared imports not marked private — 69 files in .github/workflows/shared/ have no private: true frontmatter. Since ExtractWorkflowPrivate() returns false for them and isSupportedPackageInstallablePath() accepts any path starting with .github/workflows/ (including the shared/ subdirectory), an external user can run gh aw add github/gh-aw/shared/<name> and successfully copy any shared import into their repo.

💡 Suggested follow-up fix

ExtractWorkflowPrivateSetting returns (false, false) for these files because none have a private: YAML key — the YAML comments inside their frontmatter blocks parse as an empty map.

Fix: add a follow-up PR to stamp all 69 shared/*.md files with private: true using the same approach as this PR. For files with a --- block:

---
private: true
# CI Data Analysis

For pure-markdown imports without frontmatter (e.g., noop-reminder.md), add a frontmatter block:

---
private: true
---
**Important**: If no action is needed...

No recompile needed for shared imports — they have no .lock.yml counterpart.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gh aw trial bypasses the private: true guardinstallWorkflowInTrialMode calls FetchWorkflowFromSourceWithContext directly and then writes the workflow content to a cloned trial host repository without ever calling ExtractWorkflowPrivate. The enforcement only exists in add_workflow_resolution.go (the gh aw add code path). A user can run gh aw trial github/gh-aw/<any-workflow> and successfully install and execute any of the 245 newly-private workflows in a real temporary repository.

💡 Suggested fix

Add a private guard in pkg/cli/trial_repository.go:installWorkflowInTrialMode immediately after the fetch succeeds, before writeWorkflowToTrialDir:

// Enforce private: true — private workflows cannot be trialled from external repos
if !fetched.IsLocal && ExtractWorkflowPrivate(string(content)) {
    return fmt.Errorf("workflow '%s' is private and cannot be run in trial mode from external repositories", parsedSpec.WorkflowName)
}

This mirrors the same check already performed in add_workflow_resolution.go:226-228 for gh aw add. The !fetched.IsLocal guard ensures that local workflows (which the repo owner is running in their own context) are still allowed.

A test case should accompany the fix, since no existing test covers this path (the existing add_private_test.go tests only exercise ExtractWorkflowPrivate in isolation, not the trial installation path).

on:
schedule:
- cron: daily around 10:00
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ace-editor.lock.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions .github/workflows/ace-editor.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---
private: true
emoji: "✏️"
name: ACE Editor Session
description: Generates an ACE editor session link when invoked with /ace command on pull request comments
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/agent-performance-analyzer.lock.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions .github/workflows/agent-performance-analyzer.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---
private: true
emoji: "⚡"
description: Meta-orchestrator that analyzes AI agent performance, quality, and effectiveness across the repository
on: daily
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/agent-persona-explorer.lock.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions .github/workflows/agent-persona-explorer.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---
private: true
emoji: "🎭"
description: Explores agentic-workflows custom agent behavior by generating software personas and analyzing responses to common automation tasks
on: daily
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/agentic-token-trend-audit.lock.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions .github/workflows/agentic-token-trend-audit.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---
private: true
description: On-demand AIC audit for a user-specified date range
on:
workflow_dispatch:
Expand Down
Loading
Loading