Dev

Dev #980

Workflow file for this run

.github/workflows/dev.lock.yml at 43c5c10

	# This file was automatically generated by gh-aw. DO NOT EDIT.
	# To update this file, edit the corresponding .md file and run:
	# gh aw compile
	# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/instructions/github-agentic-workflows.instructions.md

	name: "Dev"
	"on":
	push:
	branches:
	- copilot/*
	workflow_dispatch: null

	permissions: {}

	concurrency:
	group: "gh-aw-${{ github.workflow }}-${{ github.ref }}"

	run-name: "Dev"

	jobs:
	check-membership:
	runs-on: ubuntu-latest
	outputs:
	error_message: ${{ steps.check-membership.outputs.error_message }}
	is_team_member: ${{ steps.check-membership.outputs.is_team_member }}
	result: ${{ steps.check-membership.outputs.result }}
	user_permission: ${{ steps.check-membership.outputs.user_permission }}
	steps:
	- name: Check team membership for workflow
	id: check-membership
	uses: actions/github-script@v8
	env:
	GITHUB_AW_REQUIRED_ROLES: admin,maintainer
	with:
	script: \|
	async function main() {
	const { eventName } = context;
	// skip check for safe events
	const safeEvents = ["workflow_dispatch", "workflow_run", "schedule"];
	if (safeEvents.includes(eventName)) {
	core.info(`✅ Event ${eventName} does not require validation`);
	core.setOutput("is_team_member", "true");
	core.setOutput("result", "safe_event");
	return;
	}
	const actor = context.actor;
	const { owner, repo } = context.repo;
	const requiredPermissionsEnv = process.env.GITHUB_AW_REQUIRED_ROLES;
	const requiredPermissions = requiredPermissionsEnv ? requiredPermissionsEnv.split(",").filter(p => p.trim() !== "") : [];
	if (!requiredPermissions \|\| requiredPermissions.length === 0) {
	core.warning("❌ Configuration error: Required permissions not specified. Contact repository administrator.");
	core.setOutput("is_team_member", "false");
	core.setOutput("result", "config_error");
	core.setOutput("error_message", "Configuration error: Required permissions not specified");
	return;
	}
	// Check if the actor has the required repository permissions
	try {
	core.debug(`Checking if user '${actor}' has required permissions for ${owner}/${repo}`);
	core.debug(`Required permissions: ${requiredPermissions.join(", ")}`);
	const repoPermission = await github.rest.repos.getCollaboratorPermissionLevel({
	owner: owner,
	repo: repo,
	username: actor,
	});
	const permission = repoPermission.data.permission;
	core.debug(`Repository permission level: ${permission}`);
	// Check if user has one of the required permission levels
	for (const requiredPerm of requiredPermissions) {
	if (permission === requiredPerm \|\| (requiredPerm === "maintainer" && permission === "maintain")) {
	core.info(`✅ User has ${permission} access to repository`);
	core.setOutput("is_team_member", "true");
	core.setOutput("result", "authorized");
	core.setOutput("user_permission", permission);
	return;
	}
	}
	core.warning(`User permission '${permission}' does not meet requirements: ${requiredPermissions.join(", ")}`);
	core.setOutput("is_team_member", "false");
	core.setOutput("result", "insufficient_permissions");
	core.setOutput("user_permission", permission);
	core.setOutput(
	"error_message",
	`Access denied: User '${actor}' is not authorized. Required permissions: ${requiredPermissions.join(", ")}`
	);
	} catch (repoError) {
	const errorMessage = repoError instanceof Error ? repoError.message : String(repoError);
	core.warning(`Repository permission check failed: ${errorMessage}`);
	core.setOutput("is_team_member", "false");
	core.setOutput("result", "api_error");
	core.setOutput("error_message", `Repository permission check failed: ${errorMessage}`);
	return;
	}
	}
	await main();

	activation:
	needs: check-membership
	if: needs.check-membership.outputs.is_team_member == 'true'
	runs-on: ubuntu-latest
	steps:
	- run: echo "Activation success"

	add_reaction:
	needs: activation
	if: >
	github.event_name == 'issues' \|\| github.event_name == 'issue_comment' \|\| github.event_name == 'pull_request_comment' \|\|
	github.event_name == 'pull_request_review_comment' \|\| (github.event_name == 'pull_request') &&
	(github.event.pull_request.head.repo.full_name == github.repository)
	runs-on: ubuntu-latest
	permissions:
	issues: write
	pull-requests: write
	outputs:
	reaction_id: ${{ steps.react.outputs.reaction-id }}
	steps:
	- name: Add eyes reaction to the triggering item
	id: react
	uses: actions/github-script@v8
	env:
	GITHUB_AW_REACTION: eyes
	with:
	script: \|
	async function main() {
	const reaction = process.env.GITHUB_AW_REACTION \|\| "eyes";
	const command = process.env.GITHUB_AW_COMMAND;
	const runId = context.runId;
	const runUrl = context.payload.repository
	? `${context.payload.repository.html_url}/actions/runs/${runId}`
	: `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${runId}`;
	core.info(`Reaction type: ${reaction}`);
	core.info(`Command name: ${command \|\| "none"}`);
	core.info(`Run ID: ${runId}`);
	core.info(`Run URL: ${runUrl}`);
	const validReactions = ["+1", "-1", "laugh", "confused", "heart", "hooray", "rocket", "eyes"];
	if (!validReactions.includes(reaction)) {
	core.setFailed(`Invalid reaction type: ${reaction}. Valid reactions are: ${validReactions.join(", ")}`);
	return;
	}
	let reactionEndpoint;
	let commentUpdateEndpoint;
	let shouldEditComment = false;
	const eventName = context.eventName;
	const owner = context.repo.owner;
	const repo = context.repo.repo;
	try {
	switch (eventName) {
	case "issues":
	const issueNumber = context.payload?.issue?.number;
	if (!issueNumber) {
	core.setFailed("Issue number not found in event payload");
	return;
	}
	reactionEndpoint = `/repos/${owner}/${repo}/issues/${issueNumber}/reactions`;
	shouldEditComment = false;
	break;
	case "issue_comment":
	const commentId = context.payload?.comment?.id;
	if (!commentId) {
	core.setFailed("Comment ID not found in event payload");
	return;
	}
	reactionEndpoint = `/repos/${owner}/${repo}/issues/comments/${commentId}/reactions`;
	commentUpdateEndpoint = `/repos/${owner}/${repo}/issues/comments/${commentId}`;
	shouldEditComment = command ? true : false;
	break;
	case "pull_request":
	const prNumber = context.payload?.pull_request?.number;
	if (!prNumber) {
	core.setFailed("Pull request number not found in event payload");
	return;
	}
	reactionEndpoint = `/repos/${owner}/${repo}/issues/${prNumber}/reactions`;
	shouldEditComment = false;
	break;
	case "pull_request_review_comment":
	const reviewCommentId = context.payload?.comment?.id;
	if (!reviewCommentId) {
	core.setFailed("Review comment ID not found in event payload");
	return;
	}
	reactionEndpoint = `/repos/${owner}/${repo}/pulls/comments/${reviewCommentId}/reactions`;
	commentUpdateEndpoint = `/repos/${owner}/${repo}/pulls/comments/${reviewCommentId}`;
	shouldEditComment = command ? true : false;
	break;
	default:
	core.setFailed(`Unsupported event type: ${eventName}`);
	return;
	}
	core.info(`Reaction API endpoint: ${reactionEndpoint}`);
	await addReaction(reactionEndpoint, reaction);
	if (shouldEditComment && commentUpdateEndpoint) {
	core.info(`Comment update endpoint: ${commentUpdateEndpoint}`);
	await editCommentWithWorkflowLink(commentUpdateEndpoint, runUrl);
	} else {
	if (!command && commentUpdateEndpoint) {
	core.info("Skipping comment edit - only available for command workflows");
	} else {
	core.info(`Skipping comment edit for event type: ${eventName}`);
	}
	}
	} catch (error) {
	const errorMessage = error instanceof Error ? error.message : String(error);
	core.error(`Failed to process reaction and comment edit: ${errorMessage}`);
	core.setFailed(`Failed to process reaction and comment edit: ${errorMessage}`);
	}
	}
	async function addReaction(endpoint, reaction) {
	const response = await github.request("POST " + endpoint, {
	content: reaction,
	headers: {
	Accept: "application/vnd.github+json",
	},
	});
	const reactionId = response.data?.id;
	if (reactionId) {
	core.info(`Successfully added reaction: ${reaction} (id: ${reactionId})`);
	core.setOutput("reaction-id", reactionId.toString());
	} else {
	core.info(`Successfully added reaction: ${reaction}`);
	core.setOutput("reaction-id", "");
	}
	}
	async function editCommentWithWorkflowLink(endpoint, runUrl) {
	try {
	const getResponse = await github.request("GET " + endpoint, {
	headers: {
	Accept: "application/vnd.github+json",
	},
	});
	const originalBody = getResponse.data.body \|\| "";
	const workflowLinkText = `\n\n---\n🤖 [Workflow run](${runUrl}) triggered by this comment`;
	if (originalBody.includes("*🤖 [Workflow run](")) {
	core.info("Comment already contains a workflow run link, skipping edit");
	return;
	}
	const updatedBody = originalBody + workflowLinkText;
	const updateResponse = await github.request("PATCH " + endpoint, {
	body: updatedBody,
	headers: {
	Accept: "application/vnd.github+json",
	},
	});
	core.info(`Successfully updated comment with workflow link`);
	core.info(`Comment ID: ${updateResponse.data.id}`);
	} catch (error) {
	const errorMessage = error instanceof Error ? error.message : String(error);
	core.warning(
	"Failed to edit comment with workflow link (This is not critical - the reaction was still added successfully): " + errorMessage
	);
	}
	}
	await main();

	agent:
	needs: activation
	runs-on: ubuntu-latest
	permissions: read-all
	outputs:
	output: ${{ steps.collect_output.outputs.output }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@v5
	- name: Generate Claude Settings
	run: \|
	mkdir -p /tmp/.claude
	cat > /tmp/.claude/settings.json << 'EOF'
	{
	"hooks": {
	"PreToolUse": [
	{
	"matcher": "WebFetch\|WebSearch",
	"hooks": [
	{
	"type": "command",
	"command": ".claude/hooks/network_permissions.py"
	}
	]
	}
	]
	}
	}
	EOF
	- name: Generate Network Permissions Hook
	run: \|
	mkdir -p .claude/hooks
	cat > .claude/hooks/network_permissions.py << 'EOF'
	#!/usr/bin/env python3
	"""
	Network permissions validator for Claude Code engine.
	Generated by gh-aw from engine network permissions configuration.
	"""

	import json
	import sys
	import urllib.parse
	import re

	# Domain allow-list (populated during generation)
	ALLOWED_DOMAINS = ["crl3.digicert.com","crl4.digicert.com","ocsp.digicert.com","ts-crl.ws.symantec.com","ts-ocsp.ws.symantec.com","crl.geotrust.com","ocsp.geotrust.com","crl.thawte.com","ocsp.thawte.com","crl.verisign.com","ocsp.verisign.com","crl.globalsign.com","ocsp.globalsign.com","crls.ssl.com","ocsp.ssl.com","crl.identrust.com","ocsp.identrust.com","crl.sectigo.com","ocsp.sectigo.com","crl.usertrust.com","ocsp.usertrust.com","s.symcb.com","s.symcd.com","json-schema.org","json.schemastore.org","archive.ubuntu.com","security.ubuntu.com","ppa.launchpad.net","keyserver.ubuntu.com","azure.archive.ubuntu.com","api.snapcraft.io","packagecloud.io","packages.cloud.google.com","packages.microsoft.com"]

	def extract_domain(url_or_query):
	"""Extract domain from URL or search query."""
	if not url_or_query:
	return None

	if url_or_query.startswith(('http://', 'https://')):
	return urllib.parse.urlparse(url_or_query).netloc.lower()

	# Check for domain patterns in search queries
	match = re.search(r'site:([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})', url_or_query)
	if match:
	return match.group(1).lower()

	return None

	def is_domain_allowed(domain):
	"""Check if domain is allowed."""
	if not domain:
	# If no domain detected, allow only if not under deny-all policy
	return bool(ALLOWED_DOMAINS) # False if empty list (deny-all), True if has domains

	# Empty allowed domains means deny all
	if not ALLOWED_DOMAINS:
	return False

	for pattern in ALLOWED_DOMAINS:
	regex = pattern.replace('.', r'\.').replace('', '.')
	if re.match(f'^{regex}$', domain):
	return True
	return False

	# Main logic
	try:
	data = json.load(sys.stdin)
	tool_name = data.get('tool_name', '')
	tool_input = data.get('tool_input', {})

	if tool_name not in ['WebFetch', 'WebSearch']:
	sys.exit(0) # Allow other tools

	target = tool_input.get('url') or tool_input.get('query', '')
	domain = extract_domain(target)

	# For WebSearch, apply domain restrictions consistently
	# If no domain detected in search query, check if restrictions are in place
	if tool_name == 'WebSearch' and not domain:
	# Since this hook is only generated when network permissions are configured,
	# empty ALLOWED_DOMAINS means deny-all policy
	if not ALLOWED_DOMAINS: # Empty list means deny all
	print(f"Network access blocked: deny-all policy in effect", file=sys.stderr)
	print(f"No domains are allowed for WebSearch", file=sys.stderr)
	sys.exit(2) # Block under deny-all policy
	else:
	print(f"Network access blocked for web-search: no specific domain detected", file=sys.stderr)
	print(f"Allowed domains: {', '.join(ALLOWED_DOMAINS)}", file=sys.stderr)
	sys.exit(2) # Block general searches when domain allowlist is configured

	if not is_domain_allowed(domain):
	print(f"Network access blocked for domain: {domain}", file=sys.stderr)
	print(f"Allowed domains: {', '.join(ALLOWED_DOMAINS)}", file=sys.stderr)
	sys.exit(2) # Block with feedback to Claude

	sys.exit(0) # Allow

	except Exception as e:
	print(f"Network validation error: {e}", file=sys.stderr)
	sys.exit(2) # Block on errors

	EOF
	chmod +x .claude/hooks/network_permissions.py
	- name: Setup agent output
	id: setup_agent_output
	uses: actions/github-script@v8
	with:
	script: \|
	const fs = require("fs");
	const crypto = require("crypto");
	function main() {
	const randomSuffix = crypto.randomBytes(8).toString("hex");
	const outputFile = `/tmp/aw_output_${randomSuffix}.txt`;
	fs.mkdirSync("/tmp", { recursive: true });
	core.exportVariable("GITHUB_AW_SAFE_OUTPUTS", outputFile);
	core.setOutput("output_file", outputFile);
	}
	main();
	- name: Setup MCPs
	run: \|
	mkdir -p /tmp/mcp-config
	cat > /tmp/mcp-config/mcp-servers.json << 'EOF'
	{
	"mcpServers": {
	"github": {
	"command": "docker",
	"args": [
	"run",
	"-i",
	"--rm",
	"-e",
	"GITHUB_PERSONAL_ACCESS_TOKEN",
	"ghcr.io/github/github-mcp-server:sha-09deac4"
	],
	"env": {
	"GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}"
	}
	}
	}
	}
	EOF
	- name: Create prompt
	env:
	GITHUB_AW_PROMPT: /tmp/aw-prompts/prompt.txt
	GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }}
	run: \|
	mkdir -p $(dirname "$GITHUB_AW_PROMPT")
	cat > $GITHUB_AW_PROMPT << 'EOF'
	summarize and publish to issue:

	Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

	EOF
	- name: Append safe outputs instructions to prompt
	env:
	GITHUB_AW_PROMPT: /tmp/aw-prompts/prompt.txt
	run: \|
	cat >> $GITHUB_AW_PROMPT << 'EOF'

	---

	## Reporting Missing Tools or Functionality

	IMPORTANT: To do the actions mentioned in the header of this section, use the safe-outputs tools, do NOT attempt to use `gh`, do NOT attempt to use the GitHub API. You don't have write access to the GitHub repo.

	EOF
	- name: Print prompt to step summary
	env:
	GITHUB_AW_PROMPT: /tmp/aw-prompts/prompt.txt
	run: \|
	echo "## Generated Prompt" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo '``````markdown' >> $GITHUB_STEP_SUMMARY
	cat $GITHUB_AW_PROMPT >> $GITHUB_STEP_SUMMARY
	echo '``````' >> $GITHUB_STEP_SUMMARY
	- name: Generate agentic run info
	uses: actions/github-script@v8
	with:
	script: \|
	const fs = require('fs');

	const awInfo = {
	engine_id: "claude",
	engine_name: "Claude Code",
	model: "",
	version: "",
	workflow_name: "Dev",
	experimental: false,
	supports_tools_allowlist: true,
	supports_http_transport: true,
	run_id: context.runId,
	run_number: context.runNumber,
	run_attempt: process.env.GITHUB_RUN_ATTEMPT,
	repository: context.repo.owner + '/' + context.repo.repo,
	ref: context.ref,
	sha: context.sha,
	actor: context.actor,
	event_name: context.eventName,
	staged: true,
	created_at: new Date().toISOString()
	};

	// Write to /tmp directory to avoid inclusion in PR
	const tmpPath = '/tmp/aw_info.json';
	fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2));
	console.log('Generated aw_info.json at:', tmpPath);
	console.log(JSON.stringify(awInfo, null, 2));

	// Add agentic workflow run information to step summary
	core.summary
	.addRaw('## Agentic Run Information\n\n')
	.addRaw('```json\n')
	.addRaw(JSON.stringify(awInfo, null, 2))
	.addRaw('\n```\n')
	.write();
	- name: Upload agentic run info
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: aw_info.json
	path: /tmp/aw_info.json
	if-no-files-found: warn
	- name: Execute Claude Code CLI
	id: agentic_execution
	# Allowed tools (sorted):
	# - ExitPlanMode
	# - Glob
	# - Grep
	# - LS
	# - NotebookRead
	# - Read
	# - Task
	# - TodoWrite
	# - Write
	# - mcp__github__download_workflow_run_artifact
	# - mcp__github__get_code_scanning_alert
	# - mcp__github__get_commit
	# - mcp__github__get_dependabot_alert
	# - mcp__github__get_discussion
	# - mcp__github__get_discussion_comments
	# - mcp__github__get_file_contents
	# - mcp__github__get_issue
	# - mcp__github__get_issue_comments
	# - mcp__github__get_job_logs
	# - mcp__github__get_me
	# - mcp__github__get_notification_details
	# - mcp__github__get_pull_request
	# - mcp__github__get_pull_request_comments
	# - mcp__github__get_pull_request_diff
	# - mcp__github__get_pull_request_files
	# - mcp__github__get_pull_request_reviews
	# - mcp__github__get_pull_request_status
	# - mcp__github__get_secret_scanning_alert
	# - mcp__github__get_tag
	# - mcp__github__get_workflow_run
	# - mcp__github__get_workflow_run_logs
	# - mcp__github__get_workflow_run_usage
	# - mcp__github__list_branches
	# - mcp__github__list_code_scanning_alerts
	# - mcp__github__list_commits
	# - mcp__github__list_dependabot_alerts
	# - mcp__github__list_discussion_categories
	# - mcp__github__list_discussions
	# - mcp__github__list_issues
	# - mcp__github__list_notifications
	# - mcp__github__list_pull_requests
	# - mcp__github__list_secret_scanning_alerts
	# - mcp__github__list_tags
	# - mcp__github__list_workflow_jobs
	# - mcp__github__list_workflow_run_artifacts
	# - mcp__github__list_workflow_runs
	# - mcp__github__list_workflows
	# - mcp__github__search_code
	# - mcp__github__search_issues
	# - mcp__github__search_orgs
	# - mcp__github__search_pull_requests
	# - mcp__github__search_repositories
	# - mcp__github__search_users
	timeout-minutes: 5
	run: \|
	set -o pipefail
	# Execute Claude Code CLI with prompt from file
	npx @anthropic-ai/claude-code@latest --print --mcp-config /tmp/mcp-config/mcp-servers.json --allowed-tools "ExitPlanMode,Glob,Grep,LS,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__get_job_logs,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issues,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_secret_scanning_alerts,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users" --debug --verbose --permission-mode bypassPermissions --output-format json --settings /tmp/.claude/settings.json "$(cat /tmp/aw-prompts/prompt.txt)" 2>&1 \| tee /tmp/dev.log
	env:
	ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
	DISABLE_TELEMETRY: "1"
	DISABLE_ERROR_REPORTING: "1"
	DISABLE_BUG_COMMAND: "1"
	GITHUB_AW_PROMPT: /tmp/aw-prompts/prompt.txt
	GITHUB_AW_MCP_CONFIG: /tmp/mcp-config/mcp-servers.json
	MCP_TIMEOUT: "60000"
	GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }}
	GITHUB_AW_SAFE_OUTPUTS_STAGED: "true"
	- name: Ensure log file exists
	if: always()
	run: \|
	# Ensure log file exists
	touch /tmp/dev.log
	# Show last few lines for debugging
	echo "=== Last 10 lines of Claude execution log ==="
	tail -10 /tmp/dev.log \|\| echo "No log content available"
	- name: Print Agent output
	env:
	GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }}
	run: \|
	echo "## Safe Outputs (JSONL)" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo '``````json' >> $GITHUB_STEP_SUMMARY
	if [ -f ${{ env.GITHUB_AW_SAFE_OUTPUTS }} ]; then
	cat ${{ env.GITHUB_AW_SAFE_OUTPUTS }} >> $GITHUB_STEP_SUMMARY
	# Ensure there's a newline after the file content if it doesn't end with one
	if [ -s ${{ env.GITHUB_AW_SAFE_OUTPUTS }} ] && [ "$(tail -c1 ${{ env.GITHUB_AW_SAFE_OUTPUTS }})" != "" ]; then
	echo "" >> $GITHUB_STEP_SUMMARY
	fi
	else
	echo "No agent output file found" >> $GITHUB_STEP_SUMMARY
	fi
	echo '``````' >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	- name: Upload agentic output file
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: safe_output.jsonl
	path: ${{ env.GITHUB_AW_SAFE_OUTPUTS }}
	if-no-files-found: warn
	- name: Ingest agent output
	id: collect_output
	uses: actions/github-script@v8
	env:
	GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }}
	GITHUB_AW_SAFE_OUTPUTS_CONFIG: "{\"echo\":{\"inputs\":{\"message\":{\"default\":\"Hello from safe-job!\",\"description\":\"Message to echo\",\"required\":true,\"type\":\"string\"}}}}"
	with:
	script: \|
	async function main() {
	const fs = require("fs");
	function sanitizeContent(content) {
	if (!content \|\| typeof content !== "string") {
	return "";
	}
	const allowedDomainsEnv = process.env.GITHUB_AW_ALLOWED_DOMAINS;
	const defaultAllowedDomains = ["github.com", "github.io", "githubusercontent.com", "githubassets.com", "github.dev", "codespaces.new"];
	const allowedDomains = allowedDomainsEnv
	? allowedDomainsEnv
	.split(",")
	.map(d => d.trim())
	.filter(d => d)
	: defaultAllowedDomains;
	let sanitized = content;
	sanitized = neutralizeMentions(sanitized);
	sanitized = removeXmlComments(sanitized);
	sanitized = sanitized.replace(/\x1b\[[0-9;]*[mGKH]/g, "");
	sanitized = sanitized.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "");
	sanitized = sanitizeUrlProtocols(sanitized);
	sanitized = sanitizeUrlDomains(sanitized);
	const maxLength = 524288;
	if (sanitized.length > maxLength) {
	sanitized = sanitized.substring(0, maxLength) + "\n[Content truncated due to length]";
	}
	const lines = sanitized.split("\n");
	const maxLines = 65000;
	if (lines.length > maxLines) {
	sanitized = lines.slice(0, maxLines).join("\n") + "\n[Content truncated due to line count]";
	}
	sanitized = neutralizeBotTriggers(sanitized);
	return sanitized.trim();
	function sanitizeUrlDomains(s) {
	return s.replace(/\bhttps:\/\/[^\s\])}'"<>&\x00-\x1f,;]+/gi, match => {
	const urlAfterProtocol = match.slice(8);
	const hostname = urlAfterProtocol.split(/[\/:\?#]/)[0].toLowerCase();
	const isAllowed = allowedDomains.some(allowedDomain => {
	const normalizedAllowed = allowedDomain.toLowerCase();
	return hostname === normalizedAllowed \|\| hostname.endsWith("." + normalizedAllowed);
	});
	return isAllowed ? match : "(redacted)";
	});
	}
	function sanitizeUrlProtocols(s) {
	return s.replace(/\b(\w+):\/\/[^\s\])}'"<>&\x00-\x1f]+/gi, (match, protocol) => {
	return protocol.toLowerCase() === "https" ? match : "(redacted)";
	});
	}
	function neutralizeMentions(s) {
	return s.replace(
	/(^\|[^\w`])@([A-Za-z0-9](?:[A-Za-z0-9-]{0,37}[A-Za-z0-9])?(?:\/[A-Za-z0-9._-]+)?)/g,
	(_m, p1, p2) => `${p1}\`@${p2}\``
	);
	}
	function removeXmlComments(s) {
	return s.replace(/<!--[\s\S]?-->/g, "").replace(/<!--[\s\S]?--!>/g, "");
	}
	function neutralizeBotTriggers(s) {
	return s.replace(/\b(fixes?\|closes?\|resolves?\|fix\|close\|resolve)\s+#(\w+)/gi, (match, action, ref) => `\`${action} #${ref}\``);
	}
	}
	function getMaxAllowedForType(itemType, config) {
	if (config && config[itemType] && typeof config[itemType] === "object" && config[itemType].max) {
	return config[itemType].max;
	}
	switch (itemType) {
	case "create-issue":
	return 1;
	case "add-comment":
	return 1;
	case "create-pull-request":
	return 1;
	case "create-pull-request-review-comment":
	return 1;
	case "add-labels":
	return 5;
	case "update-issue":
	return 1;
	case "push-to-pull-request-branch":
	return 1;
	case "create-discussion":
	return 1;
	case "missing-tool":
	return 1000;
	case "create-code-scanning-alert":
	return 1000;
	case "upload-asset":
	return 10;
	default:
	return 1;
	}
	}
	function repairJson(jsonStr) {
	let repaired = jsonStr.trim();
	const _ctrl = { 8: "\\b", 9: "\\t", 10: "\\n", 12: "\\f", 13: "\\r" };
	repaired = repaired.replace(/[\u0000-\u001F]/g, ch => {
	const c = ch.charCodeAt(0);
	return _ctrl[c] \|\| "\\u" + c.toString(16).padStart(4, "0");
	});
	repaired = repaired.replace(/'/g, '"');
	repaired = repaired.replace(/([{,]\s)([a-zA-Z_$][a-zA-Z0-9_$])\s*:/g, '$1"$2":');
	repaired = repaired.replace(/"([^"\\]*)"/g, (match, content) => {
	if (content.includes("\n") \|\| content.includes("\r") \|\| content.includes("\t")) {
	const escaped = content.replace(/\\/g, "\\\\").replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t");
	return `"${escaped}"`;
	}
	return match;
	});
	repaired = repaired.replace(/"([^"])"([^":,}\]])"([^"])"(\s[,:}\]])/g, (match, p1, p2, p3, p4) => `"${p1}\\"${p2}\\"${p3}"${p4}`);
	repaired = repaired.replace(/(\[\s(?:"[^"]"(?:\s,\s"[^"]")\s),?)\s}/g, "$1]");
	const openBraces = (repaired.match(/\{/g) \|\| []).length;
	const closeBraces = (repaired.match(/\}/g) \|\| []).length;
	if (openBraces > closeBraces) {
	repaired += "}".repeat(openBraces - closeBraces);
	} else if (closeBraces > openBraces) {
	repaired = "{".repeat(closeBraces - openBraces) + repaired;
	}
	const openBrackets = (repaired.match(/\[/g) \|\| []).length;
	const closeBrackets = (repaired.match(/\]/g) \|\| []).length;
	if (openBrackets > closeBrackets) {
	repaired += "]".repeat(openBrackets - closeBrackets);
	} else if (closeBrackets > openBrackets) {
	repaired = "[".repeat(closeBrackets - openBrackets) + repaired;
	}
	repaired = repaired.replace(/,(\s*[}\]])/g, "$1");
	return repaired;
	}
	function validatePositiveInteger(value, fieldName, lineNum) {
	if (value === undefined \|\| value === null) {
	if (fieldName.includes("create-code-scanning-alert 'line'")) {
	return {
	isValid: false,
	error: `Line ${lineNum}: create-code-scanning-alert requires a 'line' field (number or string)`,
	};
	}
	if (fieldName.includes("create-pull-request-review-comment 'line'")) {
	return {
	isValid: false,
	error: `Line ${lineNum}: create-pull-request-review-comment requires a 'line' number`,
	};
	}
	return {
	isValid: false,
	error: `Line ${lineNum}: ${fieldName} is required`,
	};
	}
	if (typeof value !== "number" && typeof value !== "string") {
	if (fieldName.includes("create-code-scanning-alert 'line'")) {
	return {
	isValid: false,
	error: `Line ${lineNum}: create-code-scanning-alert requires a 'line' field (number or string)`,
	};
	}
	if (fieldName.includes("create-pull-request-review-comment 'line'")) {
	return {
	isValid: false,
	error: `Line ${lineNum}: create-pull-request-review-comment requires a 'line' number or string field`,
	};
	}
	return {
	isValid: false,
	error: `Line ${lineNum}: ${fieldName} must be a number or string`,
	};
	}
	const parsed = typeof value === "string" ? parseInt(value, 10) : value;
	if (isNaN(parsed) \|\| parsed <= 0 \|\| !Number.isInteger(parsed)) {
	if (fieldName.includes("create-code-scanning-alert 'line'")) {
	return {
	isValid: false,
	error: `Line ${lineNum}: create-code-scanning-alert 'line' must be a valid positive integer (got: ${value})`,
	};
	}
	if (fieldName.includes("create-pull-request-review-comment 'line'")) {
	return {
	isValid: false,
	error: `Line ${lineNum}: create-pull-request-review-comment 'line' must be a positive integer`,
	};
	}
	return {
	isValid: false,
	error: `Line ${lineNum}: ${fieldName} must be a positive integer (got: ${value})`,
	};
	}
	return { isValid: true, normalizedValue: parsed };
	}
	function validateOptionalPositiveInteger(value, fieldName, lineNum) {
	if (value === undefined) {
	return { isValid: true };
	}
	if (typeof value !== "number" && typeof value !== "string") {
	if (fieldName.includes("create-pull-request-review-comment 'start_line'")) {
	return {
	isValid: false,
	error: `Line ${lineNum}: create-pull-request-review-comment 'start_line' must be a number or string`,
	};
	}
	if (fieldName.includes("create-code-scanning-alert 'column'")) {
	return {
	isValid: false,
	error: `Line ${lineNum}: create-code-scanning-alert 'column' must be a number or string`,
	};
	}
	return {
	isValid: false,
	error: `Line ${lineNum}: ${fieldName} must be a number or string`,
	};
	}
	const parsed = typeof value === "string" ? parseInt(value, 10) : value;
	if (isNaN(parsed) \|\| parsed <= 0 \|\| !Number.isInteger(parsed)) {
	if (fieldName.includes("create-pull-request-review-comment 'start_line'")) {
	return {
	isValid: false,
	error: `Line ${lineNum}: create-pull-request-review-comment 'start_line' must be a positive integer`,
	};
	}
	if (fieldName.includes("create-code-scanning-alert 'column'")) {
	return {
	isValid: false,
	error: `Line ${lineNum}: create-code-scanning-alert 'column' must be a valid positive integer (got: ${value})`,
	};
	}
	return {
	isValid: false,
	error: `Line ${lineNum}: ${fieldName} must be a positive integer (got: ${value})`,
	};
	}
	return { isValid: true, normalizedValue: parsed };
	}
	function validateIssueOrPRNumber(value, fieldName, lineNum) {
	if (value === undefined) {
	return { isValid: true };
	}
	if (typeof value !== "number" && typeof value !== "string") {
	return {
	isValid: false,
	error: `Line ${lineNum}: ${fieldName} must be a number or string`,
	};
	}
	return { isValid: true };
	}
	function parseJsonWithRepair(jsonStr) {
	try {
	return JSON.parse(jsonStr);
	} catch (originalError) {
	try {
	const repairedJson = repairJson(jsonStr);
	return JSON.parse(repairedJson);
	} catch (repairError) {
	core.info(`invalid input json: ${jsonStr}`);
	const originalMsg = originalError instanceof Error ? originalError.message : String(originalError);
	const repairMsg = repairError instanceof Error ? repairError.message : String(repairError);
	throw new Error(`JSON parsing failed. Original: ${originalMsg}. After attempted repair: ${repairMsg}`);
	}
	}
	}
	const outputFile = process.env.GITHUB_AW_SAFE_OUTPUTS;
	const safeOutputsConfig = process.env.GITHUB_AW_SAFE_OUTPUTS_CONFIG;
	if (!outputFile) {
	core.info("GITHUB_AW_SAFE_OUTPUTS not set, no output to collect");
	core.setOutput("output", "");
	return;
	}
	if (!fs.existsSync(outputFile)) {
	core.info(`Output file does not exist: ${outputFile}`);
	core.setOutput("output", "");
	return;
	}
	const outputContent = fs.readFileSync(outputFile, "utf8");
	if (outputContent.trim() === "") {
	core.info("Output file is empty");
	core.setOutput("output", "");
	return;
	}
	core.info(`Raw output content length: ${outputContent.length}`);
	let expectedOutputTypes = {};
	if (safeOutputsConfig) {
	try {
	expectedOutputTypes = JSON.parse(safeOutputsConfig);
	core.info(`Expected output types: ${JSON.stringify(Object.keys(expectedOutputTypes))}`);
	} catch (error) {
	const errorMsg = error instanceof Error ? error.message : String(error);
	core.info(`Warning: Could not parse safe-outputs config: ${errorMsg}`);
	}
	}
	const lines = outputContent.trim().split("\n");
	const parsedItems = [];
	const errors = [];
	for (let i = 0; i < lines.length; i++) {
	const line = lines[i].trim();
	if (line === "") continue;
	try {
	const item = parseJsonWithRepair(line);
	if (item === undefined) {
	errors.push(`Line ${i + 1}: Invalid JSON - JSON parsing failed`);
	continue;
	}
	if (!item.type) {
	errors.push(`Line ${i + 1}: Missing required 'type' field`);
	continue;
	}
	const itemType = item.type;
	if (!expectedOutputTypes[itemType]) {
	errors.push(`Line ${i + 1}: Unexpected output type '${itemType}'. Expected one of: ${Object.keys(expectedOutputTypes).join(", ")}`);
	continue;
	}
	const typeCount = parsedItems.filter(existing => existing.type === itemType).length;
	const maxAllowed = getMaxAllowedForType(itemType, expectedOutputTypes);
	if (typeCount >= maxAllowed) {
	errors.push(`Line ${i + 1}: Too many items of type '${itemType}'. Maximum allowed: ${maxAllowed}.`);
	continue;
	}
	switch (itemType) {
	case "create-issue":
	if (!item.title \|\| typeof item.title !== "string") {
	errors.push(`Line ${i + 1}: create_issue requires a 'title' string field`);
	continue;
	}
	if (!item.body \|\| typeof item.body !== "string") {
	errors.push(`Line ${i + 1}: create_issue requires a 'body' string field`);
	continue;
	}
	item.title = sanitizeContent(item.title);
	item.body = sanitizeContent(item.body);
	if (item.labels && Array.isArray(item.labels)) {
	item.labels = item.labels.map( label => (typeof label === "string" ? sanitizeContent(label) : label));
	}
	break;
	case "add-comment":
	if (!item.body \|\| typeof item.body !== "string") {
	errors.push(`Line ${i + 1}: add_comment requires a 'body' string field`);
	continue;
	}
	const issueNumValidation = validateIssueOrPRNumber(item.issue_number, "add_comment 'issue_number'", i + 1);
	if (!issueNumValidation.isValid) {
	errors.push(issueNumValidation.error);
	continue;
	}
	item.body = sanitizeContent(item.body);
	break;
	case "create-pull-request":
	if (!item.title \|\| typeof item.title !== "string") {
	errors.push(`Line ${i + 1}: create_pull_request requires a 'title' string field`);
	continue;
	}
	if (!item.body \|\| typeof item.body !== "string") {
	errors.push(`Line ${i + 1}: create_pull_request requires a 'body' string field`);
	continue;
	}
	if (!item.branch \|\| typeof item.branch !== "string") {
	errors.push(`Line ${i + 1}: create_pull_request requires a 'branch' string field`);
	continue;
	}
	item.title = sanitizeContent(item.title);
	item.body = sanitizeContent(item.body);
	item.branch = sanitizeContent(item.branch);
	if (item.labels && Array.isArray(item.labels)) {
	item.labels = item.labels.map( label => (typeof label === "string" ? sanitizeContent(label) : label));
	}
	break;
	case "add-labels":
	if (!item.labels \|\| !Array.isArray(item.labels)) {
	errors.push(`Line ${i + 1}: add_labels requires a 'labels' array field`);
	continue;
	}
	if (item.labels.some( label => typeof label !== "string")) {
	errors.push(`Line ${i + 1}: add_labels labels array must contain only strings`);
	continue;
	}
	const labelsIssueNumValidation = validateIssueOrPRNumber(item.issue_number, "add-labels 'issue_number'", i + 1);
	if (!labelsIssueNumValidation.isValid) {
	errors.push(labelsIssueNumValidation.error);
	continue;
	}
	item.labels = item.labels.map( label => sanitizeContent(label));
	break;
	case "update-issue":
	const hasValidField = item.status !== undefined \|\| item.title !== undefined \|\| item.body !== undefined;
	if (!hasValidField) {
	errors.push(`Line ${i + 1}: update_issue requires at least one of: 'status', 'title', or 'body' fields`);
	continue;
	}
	if (item.status !== undefined) {
	if (typeof item.status !== "string" \|\| (item.status !== "open" && item.status !== "closed")) {
	errors.push(`Line ${i + 1}: update_issue 'status' must be 'open' or 'closed'`);
	continue;
	}
	}
	if (item.title !== undefined) {
	if (typeof item.title !== "string") {
	errors.push(`Line ${i + 1}: update-issue 'title' must be a string`);
	continue;
	}
	item.title = sanitizeContent(item.title);
	}
	if (item.body !== undefined) {
	if (typeof item.body !== "string") {
	errors.push(`Line ${i + 1}: update-issue 'body' must be a string`);
	continue;
	}
	item.body = sanitizeContent(item.body);
	}
	const updateIssueNumValidation = validateIssueOrPRNumber(item.issue_number, "update-issue 'issue_number'", i + 1);
	if (!updateIssueNumValidation.isValid) {
	errors.push(updateIssueNumValidation.error);
	continue;
	}
	break;
	case "push-to-pull-request-branch":
	if (!item.branch \|\| typeof item.branch !== "string") {
	errors.push(`Line ${i + 1}: push_to_pull_request_branch requires a 'branch' string field`);
	continue;
	}
	if (!item.message \|\| typeof item.message !== "string") {
	errors.push(`Line ${i + 1}: push_to_pull_request_branch requires a 'message' string field`);
	continue;
	}
	item.branch = sanitizeContent(item.branch);
	item.message = sanitizeContent(item.message);
	const pushPRNumValidation = validateIssueOrPRNumber(
	item.pull_request_number,
	"push-to-pull-request-branch 'pull_request_number'",
	i + 1
	);
	if (!pushPRNumValidation.isValid) {
	errors.push(pushPRNumValidation.error);
	continue;
	}
	break;
	case "create-pull-request-review-comment":
	if (!item.path \|\| typeof item.path !== "string") {
	errors.push(`Line ${i + 1}: create-pull-request-review-comment requires a 'path' string field`);
	continue;
	}
	const lineValidation = validatePositiveInteger(item.line, "create-pull-request-review-comment 'line'", i + 1);
	if (!lineValidation.isValid) {
	errors.push(lineValidation.error);
	continue;
	}
	const lineNumber = lineValidation.normalizedValue;
	if (!item.body \|\| typeof item.body !== "string") {
	errors.push(`Line ${i + 1}: create-pull-request-review-comment requires a 'body' string field`);
	continue;
	}
	item.body = sanitizeContent(item.body);
	const startLineValidation = validateOptionalPositiveInteger(
	item.start_line,
	"create-pull-request-review-comment 'start_line'",
	i + 1
	);
	if (!startLineValidation.isValid) {
	errors.push(startLineValidation.error);
	continue;
	}
	if (
	startLineValidation.normalizedValue !== undefined &&
	lineNumber !== undefined &&
	startLineValidation.normalizedValue > lineNumber
	) {
	errors.push(`Line ${i + 1}: create-pull-request-review-comment 'start_line' must be less than or equal to 'line'`);
	continue;
	}
	if (item.side !== undefined) {
	if (typeof item.side !== "string" \|\| (item.side !== "LEFT" && item.side !== "RIGHT")) {
	errors.push(`Line ${i + 1}: create-pull-request-review-comment 'side' must be 'LEFT' or 'RIGHT'`);
	continue;
	}
	}
	break;
	case "create-discussion":
	if (!item.title \|\| typeof item.title !== "string") {
	errors.push(`Line ${i + 1}: create_discussion requires a 'title' string field`);
	continue;
	}
	if (!item.body \|\| typeof item.body !== "string") {
	errors.push(`Line ${i + 1}: create_discussion requires a 'body' string field`);
	continue;
	}
	if (item.category !== undefined) {
	if (typeof item.category !== "string") {
	errors.push(`Line ${i + 1}: create_discussion 'category' must be a string`);
	continue;
	}
	item.category = sanitizeContent(item.category);
	}
	item.title = sanitizeContent(item.title);
	item.body = sanitizeContent(item.body);
	break;
	case "missing-tool":
	if (!item.tool \|\| typeof item.tool !== "string") {
	errors.push(`Line ${i + 1}: missing_tool requires a 'tool' string field`);
	continue;
	}
	if (!item.reason \|\| typeof item.reason !== "string") {
	errors.push(`Line ${i + 1}: missing_tool requires a 'reason' string field`);
	continue;
	}
	item.tool = sanitizeContent(item.tool);
	item.reason = sanitizeContent(item.reason);
	if (item.alternatives !== undefined) {
	if (typeof item.alternatives !== "string") {
	errors.push(`Line ${i + 1}: missing-tool 'alternatives' must be a string`);
	continue;
	}
	item.alternatives = sanitizeContent(item.alternatives);
	}
	break;
	case "upload-asset":
	if (!item.path \|\| typeof item.path !== "string") {
	errors.push(`Line ${i + 1}: upload_asset requires a 'path' string field`);
	continue;
	}
	break;
	case "create-code-scanning-alert":
	if (!item.file \|\| typeof item.file !== "string") {
	errors.push(`Line ${i + 1}: create-code-scanning-alert requires a 'file' field (string)`);
	continue;
	}
	const alertLineValidation = validatePositiveInteger(item.line, "create-code-scanning-alert 'line'", i + 1);
	if (!alertLineValidation.isValid) {
	errors.push(alertLineValidation.error);
	continue;
	}
	if (!item.severity \|\| typeof item.severity !== "string") {
	errors.push(`Line ${i + 1}: create-code-scanning-alert requires a 'severity' field (string)`);
	continue;
	}
	if (!item.message \|\| typeof item.message !== "string") {
	errors.push(`Line ${i + 1}: create-code-scanning-alert requires a 'message' field (string)`);
	continue;
	}
	const allowedSeverities = ["error", "warning", "info", "note"];
	if (!allowedSeverities.includes(item.severity.toLowerCase())) {
	errors.push(
	`Line ${i + 1}: create-code-scanning-alert 'severity' must be one of: ${allowedSeverities.join(", ")}, got ${item.severity.toLowerCase()}`
	);
	continue;
	}
	const columnValidation = validateOptionalPositiveInteger(item.column, "create-code-scanning-alert 'column'", i + 1);
	if (!columnValidation.isValid) {
	errors.push(columnValidation.error);
	continue;
	}
	if (item.ruleIdSuffix !== undefined) {
	if (typeof item.ruleIdSuffix !== "string") {
	errors.push(`Line ${i + 1}: create-code-scanning-alert 'ruleIdSuffix' must be a string`);
	continue;
	}
	if (!/^[a-zA-Z0-9_-]+$/.test(item.ruleIdSuffix.trim())) {
	errors.push(
	`Line ${i + 1}: create-code-scanning-alert 'ruleIdSuffix' must contain only alphanumeric characters, hyphens, and underscores`
	);
	continue;
	}
	}
	item.severity = item.severity.toLowerCase();
	item.file = sanitizeContent(item.file);
	item.severity = sanitizeContent(item.severity);
	item.message = sanitizeContent(item.message);
	if (item.ruleIdSuffix) {
	item.ruleIdSuffix = sanitizeContent(item.ruleIdSuffix);
	}
	break;
	default:
	errors.push(`Line ${i + 1}: Unknown output type '${itemType}'`);
	continue;
	}
	core.info(`Line ${i + 1}: Valid ${itemType} item`);
	parsedItems.push(item);
	} catch (error) {
	const errorMsg = error instanceof Error ? error.message : String(error);
	errors.push(`Line ${i + 1}: Invalid JSON - ${errorMsg}`);
	}
	}
	if (errors.length > 0) {
	core.warning("Validation errors found:");
	errors.forEach(error => core.warning(` - ${error}`));
	if (parsedItems.length === 0) {
	core.setFailed(errors.map(e => ` - ${e}`).join("\n"));
	return;
	}
	}
	core.info(`Successfully parsed ${parsedItems.length} valid output items`);
	const validatedOutput = {
	items: parsedItems,
	errors: errors,
	};
	const agentOutputFile = "/tmp/agent_output.json";
	const validatedOutputJson = JSON.stringify(validatedOutput);
	try {
	fs.mkdirSync("/tmp", { recursive: true });
	fs.writeFileSync(agentOutputFile, validatedOutputJson, "utf8");
	core.info(`Stored validated output to: ${agentOutputFile}`);
	core.exportVariable("GITHUB_AW_AGENT_OUTPUT", agentOutputFile);
	} catch (error) {
	const errorMsg = error instanceof Error ? error.message : String(error);
	core.error(`Failed to write agent output file: ${errorMsg}`);
	}
	core.setOutput("output", JSON.stringify(validatedOutput));
	core.setOutput("raw_output", outputContent);
	try {
	await core.summary
	.addRaw("## Processed Output\n\n")
	.addRaw("```json\n")
	.addRaw(JSON.stringify(validatedOutput))
	.addRaw("\n```\n")
	.write();
	core.info("Successfully wrote processed output to step summary");
	} catch (error) {
	const errorMsg = error instanceof Error ? error.message : String(error);
	core.warning(`Failed to write to step summary: ${errorMsg}`);
	}
	}
	await main();
	- name: Upload sanitized agent output
	if: always() && env.GITHUB_AW_AGENT_OUTPUT
	uses: actions/upload-artifact@v4
	with:
	name: agent_output.json
	path: ${{ env.GITHUB_AW_AGENT_OUTPUT }}
	if-no-files-found: warn
	- name: Upload MCP logs
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: mcp-logs
	path: /tmp/mcp-logs/
	if-no-files-found: ignore
	- name: Parse agent logs for step summary
	if: always()
	uses: actions/github-script@v8
	env:
	GITHUB_AW_AGENT_OUTPUT: /tmp/dev.log
	with:
	script: \|
	function main() {
	const fs = require("fs");
	try {
	const logFile = process.env.GITHUB_AW_AGENT_OUTPUT;
	if (!logFile) {
	core.info("No agent log file specified");
	return;
	}
	if (!fs.existsSync(logFile)) {
	core.info(`Log file not found: ${logFile}`);
	return;
	}
	const logContent = fs.readFileSync(logFile, "utf8");
	const result = parseClaudeLog(logContent);
	core.summary.addRaw(result.markdown).write();
	if (result.mcpFailures && result.mcpFailures.length > 0) {
	const failedServers = result.mcpFailures.join(", ");
	core.setFailed(`MCP server(s) failed to launch: ${failedServers}`);
	}
	} catch (error) {
	const errorMessage = error instanceof Error ? error.message : String(error);
	core.setFailed(errorMessage);
	}
	}
	function parseClaudeLog(logContent) {
	try {
	let logEntries;
	try {
	logEntries = JSON.parse(logContent);
	if (!Array.isArray(logEntries)) {
	throw new Error("Not a JSON array");
	}
	} catch (jsonArrayError) {
	logEntries = [];
	const lines = logContent.split("\n");
	for (const line of lines) {
	const trimmedLine = line.trim();
	if (trimmedLine === "") {
	continue;
	}
	if (trimmedLine.startsWith("[{")) {
	try {
	const arrayEntries = JSON.parse(trimmedLine);
	if (Array.isArray(arrayEntries)) {
	logEntries.push(...arrayEntries);
	continue;
	}
	} catch (arrayParseError) {
	continue;
	}
	}
	if (!trimmedLine.startsWith("{")) {
	continue;
	}
	try {
	const jsonEntry = JSON.parse(trimmedLine);
	logEntries.push(jsonEntry);
	} catch (jsonLineError) {
	continue;
	}
	}
	}
	if (!Array.isArray(logEntries) \|\| logEntries.length === 0) {
	return {
	markdown: "## Agent Log Summary\n\nLog format not recognized as Claude JSON array or JSONL.\n",
	mcpFailures: [],
	};
	}
	let markdown = "";
	const mcpFailures = [];
	const initEntry = logEntries.find(entry => entry.type === "system" && entry.subtype === "init");
	if (initEntry) {
	markdown += "## 🚀 Initialization\n\n";
	const initResult = formatInitializationSummary(initEntry);
	markdown += initResult.markdown;
	mcpFailures.push(...initResult.mcpFailures);
	markdown += "\n";
	}
	markdown += "## 🤖 Commands and Tools\n\n";
	const toolUsePairs = new Map();
	const commandSummary = [];
	for (const entry of logEntries) {
	if (entry.type === "user" && entry.message?.content) {
	for (const content of entry.message.content) {
	if (content.type === "tool_result" && content.tool_use_id) {
	toolUsePairs.set(content.tool_use_id, content);
	}
	}
	}
	}
	for (const entry of logEntries) {
	if (entry.type === "assistant" && entry.message?.content) {
	for (const content of entry.message.content) {
	if (content.type === "tool_use") {
	const toolName = content.name;
	const input = content.input \|\| {};
	if (["Read", "Write", "Edit", "MultiEdit", "LS", "Grep", "Glob", "TodoWrite"].includes(toolName)) {
	continue;
	}
	const toolResult = toolUsePairs.get(content.id);
	let statusIcon = "❓";
	if (toolResult) {
	statusIcon = toolResult.is_error === true ? "❌" : "✅";
	}
	if (toolName === "Bash") {
	const formattedCommand = formatBashCommand(input.command \|\| "");
	commandSummary.push(`* ${statusIcon} \`${formattedCommand}\``);
	} else if (toolName.startsWith("mcp__")) {
	const mcpName = formatMcpName(toolName);
	commandSummary.push(`* ${statusIcon} \`${mcpName}(...)\``);
	} else {
	commandSummary.push(`* ${statusIcon} ${toolName}`);
	}
	}
	}
	}
	}
	if (commandSummary.length > 0) {
	for (const cmd of commandSummary) {
	markdown += `${cmd}\n`;
	}
	} else {
	markdown += "No commands or tools used.\n";
	}
	markdown += "\n## 📊 Information\n\n";
	const lastEntry = logEntries[logEntries.length - 1];
	if (lastEntry && (lastEntry.num_turns \|\| lastEntry.duration_ms \|\| lastEntry.total_cost_usd \|\| lastEntry.usage)) {
	if (lastEntry.num_turns) {
	markdown += `Turns: ${lastEntry.num_turns}\n\n`;
	}
	if (lastEntry.duration_ms) {
	const durationSec = Math.round(lastEntry.duration_ms / 1000);
	const minutes = Math.floor(durationSec / 60);
	const seconds = durationSec % 60;
	markdown += `Duration: ${minutes}m ${seconds}s\n\n`;
	}
	if (lastEntry.total_cost_usd) {
	markdown += `Total Cost: $${lastEntry.total_cost_usd.toFixed(4)}\n\n`;
	}
	if (lastEntry.usage) {
	const usage = lastEntry.usage;
	if (usage.input_tokens \|\| usage.output_tokens) {
	markdown += `Token Usage:\n`;
	if (usage.input_tokens) markdown += `- Input: ${usage.input_tokens.toLocaleString()}\n`;
	if (usage.cache_creation_input_tokens) markdown += `- Cache Creation: ${usage.cache_creation_input_tokens.toLocaleString()}\n`;
	if (usage.cache_read_input_tokens) markdown += `- Cache Read: ${usage.cache_read_input_tokens.toLocaleString()}\n`;
	if (usage.output_tokens) markdown += `- Output: ${usage.output_tokens.toLocaleString()}\n`;
	markdown += "\n";
	}
	}
	if (lastEntry.permission_denials && lastEntry.permission_denials.length > 0) {
	markdown += `Permission Denials: ${lastEntry.permission_denials.length}\n\n`;
	}
	}
	markdown += "\n## 🤖 Reasoning\n\n";
	for (const entry of logEntries) {
	if (entry.type === "assistant" && entry.message?.content) {
	for (const content of entry.message.content) {
	if (content.type === "text" && content.text) {
	const text = content.text.trim();
	if (text && text.length > 0) {
	markdown += text + "\n\n";
	}
	} else if (content.type === "tool_use") {
	const toolResult = toolUsePairs.get(content.id);
	const toolMarkdown = formatToolUse(content, toolResult);
	if (toolMarkdown) {
	markdown += toolMarkdown;
	}
	}
	}
	}
	}
	return { markdown, mcpFailures };
	} catch (error) {
	const errorMessage = error instanceof Error ? error.message : String(error);
	return {
	markdown: `## Agent Log Summary\n\nError parsing Claude log (tried both JSON array and JSONL formats): ${errorMessage}\n`,
	mcpFailures: [],
	};
	}
	}
	function formatInitializationSummary(initEntry) {
	let markdown = "";
	const mcpFailures = [];
	if (initEntry.model) {
	markdown += `Model: ${initEntry.model}\n\n`;
	}
	if (initEntry.session_id) {
	markdown += `Session ID: ${initEntry.session_id}\n\n`;
	}
	if (initEntry.cwd) {
	const cleanCwd = initEntry.cwd.replace(/^\/home\/runner\/work\/[^\/]+\/[^\/]+/, ".");
	markdown += `Working Directory: ${cleanCwd}\n\n`;
	}
	if (initEntry.mcp_servers && Array.isArray(initEntry.mcp_servers)) {
	markdown += "MCP Servers:\n";
	for (const server of initEntry.mcp_servers) {
	const statusIcon = server.status === "connected" ? "✅" : server.status === "failed" ? "❌" : "❓";
	markdown += `- ${statusIcon} ${server.name} (${server.status})\n`;
	if (server.status === "failed") {
	mcpFailures.push(server.name);
	}
	}
	markdown += "\n";
	}
	if (initEntry.tools && Array.isArray(initEntry.tools)) {
	markdown += "Available Tools:\n";
	const categories = {
	Core: [],
	"File Operations": [],
	"Git/GitHub": [],
	MCP: [],
	Other: [],
	};
	for (const tool of initEntry.tools) {
	if (["Task", "Bash", "BashOutput", "KillBash", "ExitPlanMode"].includes(tool)) {
	categories["Core"].push(tool);
	} else if (["Read", "Edit", "MultiEdit", "Write", "LS", "Grep", "Glob", "NotebookEdit"].includes(tool)) {
	categories["File Operations"].push(tool);
	} else if (tool.startsWith("mcp__github__")) {
	categories["Git/GitHub"].push(formatMcpName(tool));
	} else if (tool.startsWith("mcp__") \|\| ["ListMcpResourcesTool", "ReadMcpResourceTool"].includes(tool)) {
	categories["MCP"].push(tool.startsWith("mcp__") ? formatMcpName(tool) : tool);
	} else {
	categories["Other"].push(tool);
	}
	}
	for (const [category, tools] of Object.entries(categories)) {
	if (tools.length > 0) {
	markdown += `- ${category}: ${tools.length} tools\n`;
	if (tools.length <= 5) {
	markdown += ` - ${tools.join(", ")}\n`;
	} else {
	markdown += ` - ${tools.slice(0, 3).join(", ")}, and ${tools.length - 3} more\n`;
	}
	}
	}
	markdown += "\n";
	}
	if (initEntry.slash_commands && Array.isArray(initEntry.slash_commands)) {
	const commandCount = initEntry.slash_commands.length;
	markdown += `Slash Commands: ${commandCount} available\n`;
	if (commandCount <= 10) {
	markdown += `- ${initEntry.slash_commands.join(", ")}\n`;
	} else {
	markdown += `- ${initEntry.slash_commands.slice(0, 5).join(", ")}, and ${commandCount - 5} more\n`;
	}
	markdown += "\n";
	}
	return { markdown, mcpFailures };
	}
	function formatToolUse(toolUse, toolResult) {
	const toolName = toolUse.name;
	const input = toolUse.input \|\| {};
	if (toolName === "TodoWrite") {
	return "";
	}
	function getStatusIcon() {
	if (toolResult) {
	return toolResult.is_error === true ? "❌" : "✅";
	}
	return "❓";
	}
	let markdown = "";
	const statusIcon = getStatusIcon();
	switch (toolName) {
	case "Bash":
	const command = input.command \|\| "";
	const description = input.description \|\| "";
	const formattedCommand = formatBashCommand(command);
	if (description) {
	markdown += `${description}:\n\n`;
	}
	markdown += `${statusIcon} \`${formattedCommand}\`\n\n`;
	break;
	case "Read":
	const filePath = input.file_path \|\| input.path \|\| "";
	const relativePath = filePath.replace(/^\/[^\/]\/[^\/]\/[^\/]\/[^\/]\//, "");
	markdown += `${statusIcon} Read \`${relativePath}\`\n\n`;
	break;
	case "Write":
	case "Edit":
	case "MultiEdit":
	const writeFilePath = input.file_path \|\| input.path \|\| "";
	const writeRelativePath = writeFilePath.replace(/^\/[^\/]\/[^\/]\/[^\/]\/[^\/]\//, "");
	markdown += `${statusIcon} Write \`${writeRelativePath}\`\n\n`;
	break;
	case "Grep":
	case "Glob":
	const query = input.query \|\| input.pattern \|\| "";
	markdown += `${statusIcon} Search for \`${truncateString(query, 80)}\`\n\n`;
	break;
	case "LS":
	const lsPath = input.path \|\| "";
	const lsRelativePath = lsPath.replace(/^\/[^\/]\/[^\/]\/[^\/]\/[^\/]\//, "");
	markdown += `${statusIcon} LS: ${lsRelativePath \|\| lsPath}\n\n`;
	break;
	default:
	if (toolName.startsWith("mcp__")) {
	const mcpName = formatMcpName(toolName);
	const params = formatMcpParameters(input);
	markdown += `${statusIcon} ${mcpName}(${params})\n\n`;
	} else {
	const keys = Object.keys(input);
	if (keys.length > 0) {
	const mainParam = keys.find(k => ["query", "command", "path", "file_path", "content"].includes(k)) \|\| keys[0];
	const value = String(input[mainParam] \|\| "");
	if (value) {
	markdown += `${statusIcon} ${toolName}: ${truncateString(value, 100)}\n\n`;
	} else {
	markdown += `${statusIcon} ${toolName}\n\n`;
	}
	} else {
	markdown += `${statusIcon} ${toolName}\n\n`;
	}
	}
	}
	return markdown;
	}
	function formatMcpName(toolName) {
	if (toolName.startsWith("mcp__")) {
	const parts = toolName.split("__");
	if (parts.length >= 3) {
	const provider = parts[1];
	const method = parts.slice(2).join("_");
	return `${provider}::${method}`;
	}
	}
	return toolName;
	}
	function formatMcpParameters(input) {
	const keys = Object.keys(input);
	if (keys.length === 0) return "";
	const paramStrs = [];
	for (const key of keys.slice(0, 4)) {
	const value = String(input[key] \|\| "");
	paramStrs.push(`${key}: ${truncateString(value, 40)}`);
	}
	if (keys.length > 4) {
	paramStrs.push("...");
	}
	return paramStrs.join(", ");
	}
	function formatBashCommand(command) {
	if (!command) return "";
	let formatted = command
	.replace(/\n/g, " ")
	.replace(/\r/g, " ")
	.replace(/\t/g, " ")
	.replace(/\s+/g, " ")
	.trim();
	formatted = formatted.replace(/`/g, "\\`");
	const maxLength = 80;
	if (formatted.length > maxLength) {
	formatted = formatted.substring(0, maxLength) + "...";
	}
	return formatted;
	}
	function truncateString(str, maxLength) {
	if (!str) return "";
	if (str.length <= maxLength) return str;
	return str.substring(0, maxLength) + "...";
	}
	if (typeof module !== "undefined" && module.exports) {
	module.exports = {
	parseClaudeLog,
	formatToolUse,
	formatInitializationSummary,
	formatBashCommand,
	truncateString,
	};
	}
	main();
	- name: Upload agent logs
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: dev.log
	path: /tmp/dev.log
	if-no-files-found: warn

	echo:
	needs: agent
	runs-on: ubuntu-latest
	steps:
	- name: Download agent output artifact
	continue-on-error: true
	uses: actions/download-artifact@v5
	with:
	name: safe_output.jsonl
	path: /tmp/safe-jobs/
	- name: Setup Safe Job Environment Variables
	run: \|
	echo "Setting up environment for safe job"
	echo "GITHUB_AW_AGENT_OUTPUT=/tmp/safe-jobs/safe_output.jsonl" >> $GITHUB_ENV
	- name: Echo message
	run: \|-
	if [ -f "$GITHUB_AW_AGENT_OUTPUT" ]; then
	MESSAGE=$(cat "$GITHUB_AW_AGENT_OUTPUT" \| jq -r 'select(.tool == "echo") \| .message // "Hello from safe-job!"')
	echo "Echoing message: $MESSAGE"
	else
	echo "No agent output found, using default: Hello from safe-job!"
	fi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dev #980

Workflow file

Dev #980

Uh oh!

Workflow file for this run