From 4e6f29bb6a0ff0fec6852105d0b23a5b6fba995e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 2 Jan 2026 20:42:28 +0000 Subject: [PATCH 1/5] Initial plan From 2c9c7a22b6667ee8df9be8e5cb45268b005eb852 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 2 Jan 2026 20:51:50 +0000 Subject: [PATCH 2/5] Implement MCP environment variable passthrough to gateway server Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/campaign-generator.lock.yml | 2 +- pkg/workflow/gateway.go | 36 +++- pkg/workflow/gateway_test.go | 84 +++++--- pkg/workflow/mcp_servers.go | 199 +++++++++--------- 4 files changed, 188 insertions(+), 133 deletions(-) diff --git a/.github/workflows/campaign-generator.lock.yml b/.github/workflows/campaign-generator.lock.yml index 6acb3542040..8fbb760b93a 100644 --- a/.github/workflows/campaign-generator.lock.yml +++ b/.github/workflows/campaign-generator.lock.yml @@ -365,8 +365,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/pkg/workflow/gateway.go b/pkg/workflow/gateway.go index 37969d38afd..5d6d0fa761b 100644 --- a/pkg/workflow/gateway.go +++ b/pkg/workflow/gateway.go @@ -2,6 +2,7 @@ package workflow import ( "fmt" + "sort" "strings" "github.com/githubnext/gh-aw/pkg/logger" @@ -44,7 +45,7 @@ func getMCPGatewayConfig(workflowData *WorkflowData) *MCPGatewayRuntimeConfig { } // generateMCPGatewaySteps generates the steps to start and verify the MCP gateway -func generateMCPGatewaySteps(workflowData *WorkflowData, mcpServersConfig map[string]any) []GitHubActionStep { +func generateMCPGatewaySteps(workflowData *WorkflowData, mcpEnvVars map[string]string) []GitHubActionStep { if !isMCPGatewayEnabled(workflowData) { return nil } @@ -54,13 +55,13 @@ func generateMCPGatewaySteps(workflowData *WorkflowData, mcpServersConfig map[st return nil } - gatewayLog.Printf("Generating MCP gateway steps: port=%d, container=%s, command=%s, servers=%d", - config.Port, config.Container, config.Command, len(mcpServersConfig)) + gatewayLog.Printf("Generating MCP gateway steps: port=%d, container=%s, command=%s, env_vars=%d", + config.Port, config.Container, config.Command, len(mcpEnvVars)) var steps []GitHubActionStep // Step 1: Start MCP Gateway (background process) - startStep := generateMCPGatewayStartStep(config, mcpServersConfig) + startStep := generateMCPGatewayStartStep(config, mcpEnvVars) steps = append(steps, startStep) // Step 2: Health check to verify gateway is running @@ -71,7 +72,7 @@ func generateMCPGatewaySteps(workflowData *WorkflowData, mcpServersConfig map[st } // generateMCPGatewayStartStep generates the step that starts the MCP gateway -func generateMCPGatewayStartStep(config *MCPGatewayRuntimeConfig, mcpServersConfig map[string]any) GitHubActionStep { +func generateMCPGatewayStartStep(config *MCPGatewayRuntimeConfig, mcpEnvVars map[string]string) GitHubActionStep { gatewayLog.Print("Generating MCP gateway start step") port, err := validateAndNormalizePort(config.Port) @@ -87,11 +88,32 @@ func generateMCPGatewayStartStep(config *MCPGatewayRuntimeConfig, mcpServersConf stepLines := []string{ " - name: Start MCP Gateway", + } + + // Add env block if there are environment variables to pass through + if len(mcpEnvVars) > 0 { + stepLines = append(stepLines, " env:") + + // Sort environment variable names for consistent output + envVarNames := make([]string, 0, len(mcpEnvVars)) + for envVarName := range mcpEnvVars { + envVarNames = append(envVarNames, envVarName) + } + sort.Strings(envVarNames) + + // Write environment variables in sorted order + for _, envVarName := range envVarNames { + envVarValue := mcpEnvVars[envVarName] + stepLines = append(stepLines, fmt.Sprintf(" %s: %s", envVarName, envVarValue)) + } + } + + stepLines = append(stepLines, " run: |", - " mkdir -p " + MCPGatewayLogsFolder, + " mkdir -p "+MCPGatewayLogsFolder, " echo 'Starting MCP Gateway...'", " ", - } + ) // Check which mode to use: container, command, or default (awmg binary) if config.Container != "" { diff --git a/pkg/workflow/gateway_test.go b/pkg/workflow/gateway_test.go index c2499929a37..f85ee5b6907 100644 --- a/pkg/workflow/gateway_test.go +++ b/pkg/workflow/gateway_test.go @@ -197,13 +197,13 @@ func TestGenerateMCPGatewaySteps(t *testing.T) { tests := []struct { name string data *WorkflowData - mcpServers map[string]any + mcpEnvVars map[string]string expectSteps int }{ { name: "gateway disabled returns no steps", data: &WorkflowData{}, - mcpServers: map[string]any{}, + mcpEnvVars: map[string]string{}, expectSteps: 0, }, { @@ -218,16 +218,14 @@ func TestGenerateMCPGatewaySteps(t *testing.T) { "mcp-gateway": true, }, }, - mcpServers: map[string]any{ - "github": map[string]any{}, - }, + mcpEnvVars: map[string]string{}, expectSteps: 2, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - steps := generateMCPGatewaySteps(tt.data, tt.mcpServers) + steps := generateMCPGatewaySteps(tt.data, tt.mcpEnvVars) assert.Len(t, steps, tt.expectSteps) }) } @@ -237,11 +235,9 @@ func TestGenerateMCPGatewayStartStep(t *testing.T) { config := &MCPGatewayRuntimeConfig{ Port: 8080, } - mcpServers := map[string]any{ - "github": map[string]any{}, - } + mcpEnvVars := map[string]string{} - step := generateMCPGatewayStartStep(config, mcpServers) + step := generateMCPGatewayStartStep(config, mcpEnvVars) stepStr := strings.Join(step, "\n") assert.Contains(t, stepStr, "Start MCP Gateway") @@ -529,11 +525,9 @@ func TestGenerateMCPGatewayStartStep_ContainerMode(t *testing.T) { EntrypointArgs: []string{"--config-stdin"}, Port: 8000, } - mcpServers := map[string]any{ - "github": map[string]any{}, - } + mcpEnvVars := map[string]string{} - step := generateMCPGatewayStartStep(config, mcpServers) + step := generateMCPGatewayStartStep(config, mcpEnvVars) stepStr := strings.Join(step, "\n") // Should use container mode @@ -549,11 +543,9 @@ func TestGenerateMCPGatewayStartStep_CommandMode(t *testing.T) { Args: []string{"--debug"}, Port: 9000, } - mcpServers := map[string]any{ - "github": map[string]any{}, - } + mcpEnvVars := map[string]string{} - step := generateMCPGatewayStartStep(config, mcpServers) + step := generateMCPGatewayStartStep(config, mcpEnvVars) stepStr := strings.Join(step, "\n") // Should use command mode @@ -567,11 +559,9 @@ func TestGenerateMCPGatewayStartStep_DefaultMode(t *testing.T) { config := &MCPGatewayRuntimeConfig{ Port: 8080, } - mcpServers := map[string]any{ - "github": map[string]any{}, - } + mcpEnvVars := map[string]string{} - step := generateMCPGatewayStartStep(config, mcpServers) + step := generateMCPGatewayStartStep(config, mcpEnvVars) stepStr := strings.Join(step, "\n") // Should use default awmg mode @@ -676,11 +666,9 @@ func TestGenerateMCPGatewayStartStepWithInvalidPort(t *testing.T) { config := &MCPGatewayRuntimeConfig{ Port: tt.port, } - mcpServers := map[string]any{ - "github": map[string]any{}, - } + mcpEnvVars := map[string]string{} - step := generateMCPGatewayStartStep(config, mcpServers) + step := generateMCPGatewayStartStep(config, mcpEnvVars) stepStr := strings.Join(step, "\n") // Should still generate valid step with default port @@ -763,3 +751,47 @@ func TestGetMCPGatewayURLWithInvalidPort(t *testing.T) { }) } } + +func TestGenerateMCPGatewayStartStep_WithEnvVars(t *testing.T) { + config := &MCPGatewayRuntimeConfig{ + Port: 8080, + } + mcpEnvVars := map[string]string{ + "GITHUB_MCP_SERVER_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + "GH_AW_SAFE_OUTPUTS": "${{ env.GH_AW_SAFE_OUTPUTS }}", + "GITHUB_TOKEN": "${{ secrets.GITHUB_TOKEN }}", + } + + step := generateMCPGatewayStartStep(config, mcpEnvVars) + stepStr := strings.Join(step, "\n") + + // Should include env block + assert.Contains(t, stepStr, "env:") + // Should include environment variables in alphabetical order + assert.Contains(t, stepStr, "GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}") + assert.Contains(t, stepStr, "GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GITHUB_TOKEN }}") + assert.Contains(t, stepStr, "GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}") + + // Verify alphabetical ordering (GH_AW_SAFE_OUTPUTS should come before GITHUB_*) + ghAwPos := strings.Index(stepStr, "GH_AW_SAFE_OUTPUTS") + githubMcpPos := strings.Index(stepStr, "GITHUB_MCP_SERVER_TOKEN") + githubTokenPos := strings.Index(stepStr, "GITHUB_TOKEN") + assert.True(t, ghAwPos < githubMcpPos, "GH_AW_SAFE_OUTPUTS should come before GITHUB_MCP_SERVER_TOKEN") + assert.True(t, githubMcpPos < githubTokenPos, "GITHUB_MCP_SERVER_TOKEN should come before GITHUB_TOKEN") +} + +func TestGenerateMCPGatewayStartStep_WithoutEnvVars(t *testing.T) { + config := &MCPGatewayRuntimeConfig{ + Port: 8080, + } + mcpEnvVars := map[string]string{} + + step := generateMCPGatewayStartStep(config, mcpEnvVars) + stepStr := strings.Join(step, "\n") + + // Should NOT include env block when no environment variables + assert.NotContains(t, stepStr, "env:") + // Should still have the run block + assert.Contains(t, stepStr, "run: |") + assert.Contains(t, stepStr, "Start MCP Gateway") +} diff --git a/pkg/workflow/mcp_servers.go b/pkg/workflow/mcp_servers.go index 71374f7dfba..0b902b9082a 100644 --- a/pkg/workflow/mcp_servers.go +++ b/pkg/workflow/mcp_servers.go @@ -50,6 +50,92 @@ func HasMCPServers(workflowData *WorkflowData) bool { return false } +// collectMCPEnvironmentVariables collects all MCP-related environment variables +// from the workflow configuration to be passed to both Setup MCPs and MCP Gateway steps +func collectMCPEnvironmentVariables(tools map[string]any, mcpTools []string, workflowData *WorkflowData, hasAgenticWorkflows bool) map[string]string { + envVars := make(map[string]string) + + // Check for GitHub MCP server token + hasGitHub := false + for _, toolName := range mcpTools { + if toolName == "github" { + hasGitHub = true + break + } + } + if hasGitHub { + githubTool := tools["github"] + customGitHubToken := getGitHubToken(githubTool) + effectiveToken := getEffectiveGitHubToken(customGitHubToken, workflowData.GitHubToken) + envVars["GITHUB_MCP_SERVER_TOKEN"] = effectiveToken + } + + // Check for safe-outputs env vars + hasSafeOutputs := false + for _, toolName := range mcpTools { + if toolName == "safe-outputs" { + hasSafeOutputs = true + break + } + } + if hasSafeOutputs { + envVars["GH_AW_SAFE_OUTPUTS"] = "${{ env.GH_AW_SAFE_OUTPUTS }}" + // Only add upload-assets env vars if upload-assets is configured + if workflowData.SafeOutputs.UploadAssets != nil { + envVars["GH_AW_ASSETS_BRANCH"] = "${{ env.GH_AW_ASSETS_BRANCH }}" + envVars["GH_AW_ASSETS_MAX_SIZE_KB"] = "${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}" + envVars["GH_AW_ASSETS_ALLOWED_EXTS"] = "${{ env.GH_AW_ASSETS_ALLOWED_EXTS }}" + } + } + + // Check for safe-inputs env vars + hasSafeInputs := false + for _, toolName := range mcpTools { + if toolName == "safe-inputs" { + hasSafeInputs = true + break + } + } + if hasSafeInputs { + // Add server configuration env vars from step outputs + envVars["GH_AW_SAFE_INPUTS_PORT"] = "${{ steps.safe-inputs-start.outputs.port }}" + envVars["GH_AW_SAFE_INPUTS_API_KEY"] = "${{ steps.safe-inputs-start.outputs.api_key }}" + + // Add tool-specific env vars (secrets passthrough) + safeInputsSecrets := collectSafeInputsSecrets(workflowData.SafeInputs) + for envVarName, secretExpr := range safeInputsSecrets { + envVars[envVarName] = secretExpr + } + } + + // Check for agentic-workflows GITHUB_TOKEN + if hasAgenticWorkflows { + envVars["GITHUB_TOKEN"] = "${{ secrets.GITHUB_TOKEN }}" + } + + // Check for Playwright domain secrets + hasPlaywright := false + for _, toolName := range mcpTools { + if toolName == "playwright" { + hasPlaywright = true + break + } + } + if hasPlaywright { + // Extract all expressions from playwright arguments using ExpressionExtractor + if playwrightTool, ok := tools["playwright"]; ok { + allowedDomains := generatePlaywrightAllowedDomains(playwrightTool) + customArgs := getPlaywrightCustomArgs(playwrightTool) + playwrightAllowedDomainsSecrets := extractExpressionsFromPlaywrightArgs(allowedDomains, customArgs) + for envVarName, originalExpr := range playwrightAllowedDomainsSecrets { + envVars[envVarName] = originalExpr + } + } + } + + return envVars +} + // generateMCPSetup generates the MCP server configuration setup func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, engine CodingAgentEngine, workflowData *WorkflowData) { mcpServersLog.Print("Generating MCP server configuration setup") @@ -331,109 +417,24 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Use the engine's RenderMCPConfig method yaml.WriteString(" - name: Setup MCPs\n") - // Add env block for environment variables to prevent template injection - needsEnvBlock := false - hasGitHub := false - hasSafeOutputs := false - hasSafeInputs := false - hasPlaywright := false - var playwrightAllowedDomainsSecrets map[string]string - // Note: hasAgenticWorkflows is already declared earlier in this function + // Collect all MCP-related environment variables using centralized helper + mcpEnvVars := collectMCPEnvironmentVariables(tools, mcpTools, workflowData, hasAgenticWorkflows) - for _, toolName := range mcpTools { - if toolName == "github" { - hasGitHub = true - needsEnvBlock = true - } - if toolName == "safe-outputs" { - hasSafeOutputs = true - needsEnvBlock = true - } - if toolName == "safe-inputs" { - hasSafeInputs = true - // Safe-inputs now always needs env block for port and API key - needsEnvBlock = true - } - if toolName == "agentic-workflows" { - needsEnvBlock = true - } - if toolName == "playwright" { - hasPlaywright = true - // Extract all expressions from playwright arguments using ExpressionExtractor - if playwrightTool, ok := tools["playwright"]; ok { - allowedDomains := generatePlaywrightAllowedDomains(playwrightTool) - customArgs := getPlaywrightCustomArgs(playwrightTool) - playwrightAllowedDomainsSecrets = extractExpressionsFromPlaywrightArgs(allowedDomains, customArgs) - if len(playwrightAllowedDomainsSecrets) > 0 { - needsEnvBlock = true - } - } - } - } - - if needsEnvBlock { + // Add env block if any environment variables are needed + if len(mcpEnvVars) > 0 { yaml.WriteString(" env:\n") - // Add GitHub token env var if GitHub tool is present - if hasGitHub { - githubTool := tools["github"] - customGitHubToken := getGitHubToken(githubTool) - effectiveToken := getEffectiveGitHubToken(customGitHubToken, workflowData.GitHubToken) - yaml.WriteString(" GITHUB_MCP_SERVER_TOKEN: " + effectiveToken + "\n") - } - - // Add safe-outputs env vars if present - if hasSafeOutputs { - yaml.WriteString(" GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}\n") - // Only add upload-assets env vars if upload-assets is configured - if workflowData.SafeOutputs.UploadAssets != nil { - yaml.WriteString(" GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }}\n") - yaml.WriteString(" GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}\n") - yaml.WriteString(" GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }}\n") - } + // Sort environment variable names for consistent output + envVarNames := make([]string, 0, len(mcpEnvVars)) + for envVarName := range mcpEnvVars { + envVarNames = append(envVarNames, envVarName) } + sort.Strings(envVarNames) - // Add safe-inputs env vars if present - if hasSafeInputs { - // Add server configuration env vars from step outputs - yaml.WriteString(" GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }}\n") - yaml.WriteString(" GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }}\n") - - // Add tool-specific env vars (secrets passthrough) - safeInputsSecrets := collectSafeInputsSecrets(workflowData.SafeInputs) - if len(safeInputsSecrets) > 0 { - // Sort env var names for consistent output - envVarNames := make([]string, 0, len(safeInputsSecrets)) - for envVarName := range safeInputsSecrets { - envVarNames = append(envVarNames, envVarName) - } - sort.Strings(envVarNames) - - for _, envVarName := range envVarNames { - secretExpr := safeInputsSecrets[envVarName] - fmt.Fprintf(yaml, " %s: %s\n", envVarName, secretExpr) - } - } - } - - // Add GITHUB_TOKEN for agentic-workflows if present - if hasAgenticWorkflows { - yaml.WriteString(" GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n") - } - - // Add Playwright expression environment variables if present - if hasPlaywright && len(playwrightAllowedDomainsSecrets) > 0 { - // Sort env var names for consistent output - envVarNames := make([]string, 0, len(playwrightAllowedDomainsSecrets)) - for envVarName := range playwrightAllowedDomainsSecrets { - envVarNames = append(envVarNames, envVarName) - } - sort.Strings(envVarNames) - - for _, envVarName := range envVarNames { - originalExpr := playwrightAllowedDomainsSecrets[envVarName] - fmt.Fprintf(yaml, " %s: %s\n", envVarName, originalExpr) - } + // Write environment variables in sorted order + for _, envVarName := range envVarNames { + envVarValue := mcpEnvVars[envVarName] + fmt.Fprintf(yaml, " %s: %s\n", envVarName, envVarValue) } } @@ -442,7 +443,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, engine.RenderMCPConfig(yaml, tools, mcpTools, workflowData) // Generate MCP gateway steps if configured (after Setup MCPs completes) - gatewaySteps := generateMCPGatewaySteps(workflowData, nil) + gatewaySteps := generateMCPGatewaySteps(workflowData, mcpEnvVars) for _, step := range gatewaySteps { for _, line := range step { yaml.WriteString(line + "\n") From 88a371213d2231ed5f39a1648c426662a8675da6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 2 Jan 2026 20:56:35 +0000 Subject: [PATCH 3/5] Verify MCP environment variable passthrough works correctly Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/artifacts-summary.lock.yml | 2 +- .../smoke-copilot-no-firewall.lock.yml | 15 +++- pkg/cli/templates/github-agentic-workflows.md | 77 +++++++++++++++++++ pkg/workflow/gateway_test.go | 2 +- 4 files changed, 90 insertions(+), 6 deletions(-) diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 5dda65594ef..8eefa82208b 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -308,8 +308,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/smoke-copilot-no-firewall.lock.yml b/.github/workflows/smoke-copilot-no-firewall.lock.yml index ab7cb7c7669..10dda3a6409 100644 --- a/.github/workflows/smoke-copilot-no-firewall.lock.yml +++ b/.github/workflows/smoke-copilot-no-firewall.lock.yml @@ -456,12 +456,12 @@ jobs: - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} - GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} + GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_DEBUG: 1 + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot @@ -549,6 +549,13 @@ jobs: echo "HOME: $HOME" echo "GITHUB_COPILOT_CLI_MODE: $GITHUB_COPILOT_CLI_MODE" - name: Start MCP Gateway + env: + GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} + GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_DEBUG: 1 + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-gateway-logs echo 'Starting MCP Gateway...' diff --git a/pkg/cli/templates/github-agentic-workflows.md b/pkg/cli/templates/github-agentic-workflows.md index 19bcb46b02c..f8052224b8e 100644 --- a/pkg/cli/templates/github-agentic-workflows.md +++ b/pkg/cli/templates/github-agentic-workflows.md @@ -115,6 +115,9 @@ The YAML frontmatter supports these fields: - **`roles:`** - Repository access roles that can trigger workflow (array or "all") - Default: `[admin, maintainer, write]` - Available roles: `admin`, `maintainer`, `write`, `read`, `all` +- **`bots:`** - Bot identifiers allowed to trigger workflow regardless of role permissions (array) + - Example: `bots: [dependabot[bot], renovate[bot], github-actions[bot]]` + - Bot must be active (installed) on repository to trigger workflow - **`strict:`** - Enable enhanced validation for production workflows (boolean, defaults to `true`) - When omitted, workflows enforce strict mode security constraints - Set to `false` to explicitly disable strict mode for development/testing @@ -251,6 +254,43 @@ The YAML frontmatter supports these fields: args: ["--custom-arg", "value"] # Optional: additional AWF arguments ``` +- **`sandbox:`** - Sandbox configuration for AI engines (string or object) + - String format: `"default"` (no sandbox), `"awf"` (Agent Workflow Firewall), `"srt"` or `"sandbox-runtime"` (Anthropic Sandbox Runtime) + - Object format for full configuration: + ```yaml + sandbox: + agent: awf # or "srt", or false to disable + mcp: # MCP Gateway configuration (requires mcp-gateway feature flag) + container: ghcr.io/githubnext/mcp-gateway + port: 8080 + api-key: ${{ secrets.MCP_GATEWAY_API_KEY }} + ``` + - **Agent sandbox options**: + - `awf`: Agent Workflow Firewall for domain-based access control + - `srt`: Anthropic Sandbox Runtime for filesystem and command sandboxing + - `false`: Disable agent firewall + - **AWF configuration**: + ```yaml + sandbox: + agent: + id: awf + mounts: + - "/host/data:/data:ro" + - "/host/bin/tool:/usr/local/bin/tool:ro" + ``` + - **SRT configuration**: + ```yaml + sandbox: + agent: + id: srt + config: + filesystem: + allowWrite: [".", "/tmp"] + denyRead: ["/etc/secrets"] + enableWeakerNestedSandbox: true + ``` + - **MCP Gateway**: Routes MCP server calls through unified HTTP gateway (experimental) + - **`tools:`** - Tool configuration for coding agent - `github:` - GitHub API tools - `allowed:` - Array of allowed GitHub API functions @@ -578,6 +618,43 @@ The YAML frontmatter supports these fields: ``` Useful when you need additional permissions or want to perform actions across repositories. +- **`safe-inputs:`** - Define custom lightweight MCP tools as JavaScript, shell, or Python scripts (object) + - Tools mounted in MCP server with access to specified secrets + - Each tool requires `description` and one of: `script` (JavaScript), `run` (shell), or `py` (Python) + - Tool configuration properties: + - `description:` - Tool description (required) + - `inputs:` - Input parameters with type and description (object) + - `script:` - JavaScript implementation (CommonJS format) + - `run:` - Shell script implementation + - `py:` - Python script implementation + - `env:` - Environment variables for secrets (supports `${{ secrets.* }}`) + - `timeout:` - Execution timeout in seconds (default: 60) + - Example: + ```yaml + safe-inputs: + search-issues: + description: "Search GitHub issues using API" + inputs: + query: + type: string + description: "Search query" + required: true + limit: + type: number + description: "Max results" + default: 10 + script: | + const { Octokit } = require('@octokit/rest'); + const octokit = new Octokit({ auth: process.env.GH_TOKEN }); + const result = await octokit.search.issuesAndPullRequests({ + q: inputs.query, + per_page: inputs.limit + }); + return result.data.items; + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ``` + - **`slash_command:`** - Command trigger configuration for /mention workflows (replaces deprecated `command:`) - **`cache:`** - Cache configuration for workflow dependencies (object or array) - **`cache-memory:`** - Memory MCP server with persistent cache storage (boolean or object) diff --git a/pkg/workflow/gateway_test.go b/pkg/workflow/gateway_test.go index f85ee5b6907..1dc97f66f9d 100644 --- a/pkg/workflow/gateway_test.go +++ b/pkg/workflow/gateway_test.go @@ -218,7 +218,7 @@ func TestGenerateMCPGatewaySteps(t *testing.T) { "mcp-gateway": true, }, }, - mcpEnvVars: map[string]string{}, + mcpEnvVars: map[string]string{}, expectSteps: 2, }, } From 600ab11f123647eb71248bc4b543cbe71800ddc4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 2 Jan 2026 21:00:39 +0000 Subject: [PATCH 4/5] Finalize MCP gateway environment variable passthrough implementation Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../agent-performance-analyzer.lock.yml | 2 +- .github/workflows/ai-moderator.lock.yml | 2 +- .github/workflows/archie.lock.yml | 2 +- .github/workflows/audit-workflows.lock.yml | 6 +- .github/workflows/blog-auditor.lock.yml | 2 +- .github/workflows/brave.lock.yml | 2 +- .../breaking-change-checker.lock.yml | 2 +- .github/workflows/campaign-manager.lock.yml | 2 +- .github/workflows/changeset.lock.yml | 2 +- .github/workflows/ci-coach.lock.yml | 2 +- .github/workflows/ci-doctor.lock.yml | 2 +- .../cli-consistency-checker.lock.yml | 2 +- .../workflows/cli-version-checker.lock.yml | 2 +- .github/workflows/cloclo.lock.yml | 2 +- .../commit-changes-analyzer.lock.yml | 2 +- .../workflows/copilot-agent-analysis.lock.yml | 2 +- .../copilot-pr-merged-report.lock.yml | 6 +- .../copilot-pr-nlp-analysis.lock.yml | 6 +- .../copilot-pr-prompt-analysis.lock.yml | 2 +- .../copilot-session-insights.lock.yml | 6 +- .github/workflows/craft.lock.yml | 2 +- .../daily-assign-issue-to-user.lock.yml | 2 +- .github/workflows/daily-choice-test.lock.yml | 2 +- .../workflows/daily-cli-performance.lock.yml | 2 +- .github/workflows/daily-code-metrics.lock.yml | 6 +- .../daily-copilot-token-report.lock.yml | 6 +- .github/workflows/daily-doc-updater.lock.yml | 2 +- .github/workflows/daily-fact.lock.yml | 2 +- .github/workflows/daily-file-diet.lock.yml | 6 +- .../workflows/daily-firewall-report.lock.yml | 6 +- .../workflows/daily-issues-report.lock.yml | 6 +- .../daily-malicious-code-scan.lock.yml | 2 +- .../daily-multi-device-docs-tester.lock.yml | 6 +- .github/workflows/daily-news.lock.yml | 6 +- .../daily-performance-summary.lock.yml | 8 +- .../workflows/daily-repo-chronicle.lock.yml | 6 +- .github/workflows/daily-team-status.lock.yml | 2 +- .../workflows/daily-workflow-updater.lock.yml | 2 +- .github/workflows/deep-report.lock.yml | 6 +- .../workflows/dependabot-go-checker.lock.yml | 2 +- .github/workflows/dev-hawk.lock.yml | 2 +- .github/workflows/dev.lock.yml | 2 +- .../developer-docs-consolidator.lock.yml | 2 +- .github/workflows/dictation-prompt.lock.yml | 2 +- .github/workflows/docs-noob-tester.lock.yml | 6 +- ...ty-maintenance-project67.campaign.lock.yml | 2 +- .../duplicate-code-detector.lock.yml | 2 +- .../example-workflow-analyzer.lock.yml | 2 +- .../github-mcp-structural-analysis.lock.yml | 6 +- .../github-mcp-tools-report.lock.yml | 2 +- .../workflows/glossary-maintainer.lock.yml | 2 +- .github/workflows/go-fan.lock.yml | 2 +- ...size-reduction-project64.campaign.lock.yml | 109 +++++++++--------- .github/workflows/go-logger.lock.yml | 2 +- .../workflows/go-pattern-detector.lock.yml | 2 +- .github/workflows/grumpy-reviewer.lock.yml | 2 +- .github/workflows/hourly-ci-cleaner.lock.yml | 2 +- .../workflows/human-ai-collaboration.lock.yml | 2 +- .github/workflows/incident-response.lock.yml | 2 +- .../workflows/instructions-janitor.lock.yml | 2 +- .github/workflows/intelligence.lock.yml | 6 +- .github/workflows/issue-arborist.lock.yml | 2 +- .github/workflows/issue-classifier.lock.yml | 2 +- .github/workflows/issue-monster.lock.yml | 2 +- .../issue-template-optimizer.lock.yml | 2 +- .github/workflows/issue-triage-agent.lock.yml | 2 +- .github/workflows/jsweep.lock.yml | 2 +- .../workflows/layout-spec-maintainer.lock.yml | 2 +- .github/workflows/lockfile-stats.lock.yml | 2 +- .github/workflows/mcp-inspector.lock.yml | 2 +- .github/workflows/mergefest.lock.yml | 2 +- .../workflows/notion-issue-summary.lock.yml | 2 +- .github/workflows/org-health-report.lock.yml | 6 +- .github/workflows/org-wide-rollout.lock.yml | 2 +- .github/workflows/pdf-summary.lock.yml | 2 +- .github/workflows/plan.lock.yml | 2 +- ...ayground-org-project-update-issue.lock.yml | 2 +- .../playground-snapshots-refresh.lock.yml | 2 +- .github/workflows/poem-bot.lock.yml | 6 +- .github/workflows/portfolio-analyst.lock.yml | 6 +- .../workflows/pr-nitpick-reviewer.lock.yml | 2 +- .../prompt-clustering-analysis.lock.yml | 2 +- .github/workflows/python-data-charts.lock.yml | 6 +- .github/workflows/q.lock.yml | 2 +- .github/workflows/release.lock.yml | 2 +- .github/workflows/repo-tree-map.lock.yml | 2 +- .../repository-quality-improver.lock.yml | 2 +- .github/workflows/research.lock.yml | 2 +- .github/workflows/safe-output-health.lock.yml | 2 +- .../schema-consistency-checker.lock.yml | 2 +- .github/workflows/scout.lock.yml | 2 +- .../workflows/security-compliance.lock.yml | 2 +- .github/workflows/security-fix-pr.lock.yml | 2 +- .../semantic-function-refactor.lock.yml | 2 +- .../workflows/slide-deck-maintainer.lock.yml | 2 +- .github/workflows/smoke-claude.lock.yml | 2 +- .../workflows/smoke-codex-firewall.lock.yml | 2 +- .github/workflows/smoke-codex.lock.yml | 2 +- .../smoke-copilot-playwright.lock.yml | 8 +- .../smoke-copilot-safe-inputs.lock.yml | 6 +- .github/workflows/smoke-copilot.lock.yml | 2 +- .github/workflows/smoke-detector.lock.yml | 2 +- .github/workflows/smoke-srt.lock.yml | 2 +- .github/workflows/spec-kit-execute.lock.yml | 2 +- .github/workflows/spec-kit-executor.lock.yml | 2 +- .github/workflows/speckit-dispatcher.lock.yml | 2 +- .../workflows/stale-repo-identifier.lock.yml | 6 +- .../workflows/static-analysis-report.lock.yml | 2 +- .github/workflows/sub-issue-closer.lock.yml | 2 +- .github/workflows/super-linter.lock.yml | 2 +- .../workflows/technical-doc-writer.lock.yml | 6 +- .github/workflows/terminal-stylist.lock.yml | 2 +- .github/workflows/tidy.lock.yml | 2 +- .github/workflows/typist.lock.yml | 2 +- .github/workflows/unbloat-docs.lock.yml | 6 +- .github/workflows/video-analyzer.lock.yml | 2 +- .../workflows/weekly-issue-summary.lock.yml | 6 +- .github/workflows/workflow-generator.lock.yml | 2 +- .../workflow-health-manager.lock.yml | 2 +- 119 files changed, 228 insertions(+), 229 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index e410c9b4f12..b68b258aad9 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -442,8 +442,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 2bcdd84a3a0..096a099fe84 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -340,8 +340,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index aa4c0973571..ffb1c9f4c18 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -347,8 +347,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 4460f1adbbe..63840521b17 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -403,11 +403,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 783180610ee..3a740f403bb 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -304,8 +304,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index c45109a5fcb..23696f9e53f 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -325,8 +325,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 7218ac524ac..e30b9defc4a 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -326,8 +326,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/campaign-manager.lock.yml b/.github/workflows/campaign-manager.lock.yml index fde9369cfa8..70956a90481 100644 --- a/.github/workflows/campaign-manager.lock.yml +++ b/.github/workflows/campaign-manager.lock.yml @@ -516,8 +516,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 6f228e67325..01d2be32241 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -402,8 +402,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/config.toml << EOF diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 22df28796d9..c902901bb86 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -371,8 +371,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index ead08a6fc76..3e9a04f4cc7 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -390,8 +390,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 306d5b7df6f..623db017d59 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -327,8 +327,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index fcba7228df9..c37a019327b 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -339,8 +339,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index d14a77888cf..74998c38cda 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -457,8 +457,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index fd4bdaeb095..e01b1392463 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -306,8 +306,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 4fedfc6f28a..1c29c2553fb 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -337,8 +337,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index a63111096bb..10d2faab22b 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -394,10 +394,10 @@ jobs: - name: Setup MCPs env: - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} - GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} + GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_DEBUG: 1 run: | mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 06a4752af33..a506aca8a84 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -400,11 +400,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 263b6d2eb2a..522d3a979c6 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -342,8 +342,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 61fc7c085f1..d3560050870 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -389,11 +389,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 073e4a7a0fb..e3bd5e4a3a4 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -374,8 +374,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 88ac4db3a5f..a5ac35eddd5 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -337,8 +337,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index f5e0961363d..077cb8a3c72 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -276,8 +276,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index d189b887916..b1fa123a074 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -375,8 +375,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index c017dadfe67..4851abc2f93 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -378,11 +378,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 43e0cebcb29..25b21d2ab4b 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -398,11 +398,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index d6e1d8e554d..bab2a388b99 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -321,8 +321,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 4668c386732..8cb632c155d 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -275,8 +275,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/config.toml << EOF diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 45c1b2b36c2..774ebadae7e 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -419,11 +419,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 593e5fbc770..7411c6a0413 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -401,11 +401,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 36f626377ef..7f8cc26af7e 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -441,11 +441,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/config.toml << EOF diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 2d98c17501e..b45599287e2 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -346,8 +346,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index a02991014b3..2fff119017e 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -355,11 +355,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 98491ed4729..0b96c734c60 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -396,11 +396,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index b81a84fcbed..f399d2ccdfa 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -818,14 +818,14 @@ jobs: - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} + GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/config.toml << EOF diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 82e6db3a5b3..2f3a08d2661 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -375,11 +375,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 7bf7f0330e1..911003f02c9 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -339,8 +339,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 033d64ffa19..fdb878edacb 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -315,8 +315,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 951a8747470..e66c2d04749 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -385,11 +385,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/config.toml << EOF diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index e7c0ef57b84..8be304250e0 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -367,8 +367,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 33f37f10979..e70f5bfe7af 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -319,8 +319,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index f87c31382f8..518e0726a04 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -289,8 +289,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 47700636843..730fbdbf7dd 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -392,8 +392,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index d3f0cbaef8f..b8df7cee518 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -318,8 +318,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 5f6d09f66be..f4593ca46f9 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -334,11 +334,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/docs-quality-maintenance-project67.campaign.lock.yml b/.github/workflows/docs-quality-maintenance-project67.campaign.lock.yml index 272e3a69af9..f9057246d51 100644 --- a/.github/workflows/docs-quality-maintenance-project67.campaign.lock.yml +++ b/.github/workflows/docs-quality-maintenance-project67.campaign.lock.yml @@ -391,8 +391,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 2920b647a6d..ec7169afd68 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -333,8 +333,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/config.toml << EOF diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index f9c87907a67..4a7f67531a9 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -319,8 +319,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index cd72ce92e81..5eaab7e2309 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -373,11 +373,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index abde0ede039..657bc2a6f3d 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -381,8 +381,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 6800857021e..a8456824675 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -344,8 +344,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index c7e71fbd601..7fa532f8ecf 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -328,8 +328,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/go-file-size-reduction-project64.campaign.lock.yml b/.github/workflows/go-file-size-reduction-project64.campaign.lock.yml index c8ee37d9148..09bedd162cb 100644 --- a/.github/workflows/go-file-size-reduction-project64.campaign.lock.yml +++ b/.github/workflows/go-file-size-reduction-project64.campaign.lock.yml @@ -391,8 +391,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot @@ -679,11 +679,12 @@ jobs: - For each item, record: issue URL, status field value, other predefined field values - Create a snapshot of current board state - 4. **Compare and identify gaps** - Determine what needs updating - - Items from step 1 or 2 not on board = **new work to add** - - Items on board with state mismatch = **status to update** - - Items on board with missing custom fields (e.g., worker_workflow) = **fields to populate** - - Items on board but no longer found = **check if archived/deleted** + 4. **Compare and identify gaps** - Analyze current state (for reporting only - do NOT use this to filter items in Phase 3) + - Items from step 1 or 2 not on board = **new work discovered** (report count) + - Items on board with state mismatch = **status updates needed** (report count) + - Items on board with missing custom fields (e.g., worker_workflow) = **fields to populate** (report count) + - Items on board but no longer found = **check if archived/deleted** (report count) + - **CRITICAL**: This comparison is for reporting and planning only. In Phase 3, you MUST send ALL discovered items to update-project regardless of whether they appear to be on the board. The update-project tool handles duplicate detection automatically. #### Phase 2: Make Decisions (Planning) @@ -707,32 +708,33 @@ jobs: } ``` - 5. **Decide additions (with pacing)** - For each new item discovered: - - **CRITICAL**: All discovered items (both tracker-labeled from step 1 AND worker-created from step 2) MUST be added to the board to maintain synchronization between the campaign state and the project board. - - Decision: Add to board? (Default: **YES** for all items with tracker label or worker tracker-id) - - If `governance.max-new-items-per-run` is set, add at most that many new items in this single run (remaining items will be added in subsequent runs) + 5. **Decide processing order (with pacing)** - For items discovered in steps 1-2: + - **CRITICAL**: ALL discovered items (both tracker-labeled from step 1 AND worker-created from step 2) MUST be sent to update-project in Phase 3, regardless of whether they appear to already be on the board. The update-project tool handles idempotency automatically. + - If `governance.max-new-items-per-run` is set, process at most that many items in this single run (remaining items will be processed in subsequent runs) - When applying the governance limit, prioritize in this order: - 1. Tracker-labeled items (campaign tasks) - add oldest first - 2. Worker-created items (worker outputs) - add oldest first - - Determine initial status field value based on item state: + 1. Tracker-labeled items (campaign tasks) - process oldest first + 2. Worker-created items (worker outputs) - process oldest first + - Determine appropriate status field value based on item state: - Open issue/PR/discussion → "Todo" status - Closed issue/discussion → "Done" status - Merged PR → "Done" status + - **IMPORTANT**: Do NOT skip items that appear to be on the board already. Step 4 comparison is for reporting only. In Phase 3, send ALL items to update-project. - 6. **Decide updates (no downgrade)** - For each existing board item with mismatched state: - - Decision: Update status field? (Default: yes if item state changed) - - If `governance.do-not-downgrade-done-items` is true, do not move items from Done back to active status - - Determine new status field value: + 6. **Decide updates (no downgrade)** - For status field value determination: + - Determine appropriate status based on item state (open/closed/merged) + - If `governance.do-not-downgrade-done-items` is true, preserve "Done" status for items that are already marked as done on the board + - Status field mapping: - Open issue/PR/discussion → "In Progress" or "Todo" - Closed issue/discussion → "Done" - Merged PR → "Done" + - **IMPORTANT**: This is for determining what status value to send to update-project, not for deciding whether to send the request. Send ALL discovered items to update-project in Phase 3. - 6.5 **Decide field updates** - For each existing board item, check for missing custom fields: - - If item is missing `worker_workflow` field: - - Search item body (issue/PR/discussion) for tracker-id (e.g., ``) - - If tracker-id matches a worker in `workflows`, populate `worker_workflow` field with that worker ID - - Only update fields that exist on the project board - - Skip items that already have all required fields populated + 6.5 **Decide field values** - For custom field population: + - Determine which custom fields should be populated based on item metadata + - If item has a worker tracker-id in its body (e.g., ``): + - Extract the worker ID and prepare to populate `worker_workflow` field + - Prepare other custom field values based on item properties + - **IMPORTANT**: This is for determining field values to send, not for filtering items. Send ALL discovered items to update-project in Phase 3. 7. **Decide completion** - Check campaign completion criteria: - If all discovered items (issues/PRs/discussions) are closed/merged AND all board items are "Done" → Campaign complete @@ -740,40 +742,35 @@ jobs: #### Phase 3: Write State (Execution) - 8. **Execute additions** - Add new items to project board - - Add ALL items identified in step 5 (both tracker-labeled and worker-created), up to the governance limit if set - - Use `update-project` safe-output for each new item - - Set predefined fields: `status` (required), optionally `priority`, `size` - - If worker tracker-id is found in item body (issue/PR/discussion), populate `worker_workflow` field - - Record outcome: success or failure with error details - - If governance limit is reached, log remaining items and note they will be processed in the next run - - 9. **Execute status updates** - Update existing board items with status changes - - Use `update-project` safe-output for each status change - - Update only predefined fields: `status` and related metadata - - Record outcome: success or failure with error details + **CRITICAL RULE**: In this phase, you MUST send update-project requests for ALL discovered items from steps 1-2, regardless of whether they appear to already be on the board. The update-project tool handles duplicate detection and idempotency automatically. Do NOT pre-filter items based on board state. - 9.5 **Execute field updates** - Update existing board items with missing custom fields - - Use `update-project` safe-output for each item with missing fields - - Populate missing fields identified in step 6.5 (e.g., `worker_workflow`) + 8. **Execute project updates** - Send update-project for ALL discovered items + - Process ALL items from steps 1-2 (both tracker-labeled and worker-created), up to the governance limit if set + - Use `update-project` safe-output for EVERY discovered item + - Include fields from steps 5-6.5: `status`, `worker_workflow`, `priority`, `size`, etc. + - **The update-project tool will automatically**: + - Skip adding items that are already on the board (idempotent add) + - Update fields for items already on the board + - Add new items that are not yet on the board - Record outcome: success or failure with error details + - If governance limit is reached, log remaining items and note they will be processed in the next run + - **DO NOT**: Check if items are already on the board before sending requests - this causes synchronization bugs + - **DO NOT**: Skip items that appear to be on the board - send them all and let the tool handle idempotency - 10. **Record completion state** - If campaign is complete: + 9. **Record completion state** - If campaign is complete: - Mark project metadata field `campaign_status` as "completed" - Do NOT create new work or modify existing items - This is a terminal state #### Phase 4: Report (Output) - 11. **Generate status report** - Summarize execution results: + 10. **Generate status report** - Summarize execution results: - Total items discovered via tracker label (by type: issues, PRs) - Total items discovered via worker tracker-ids (by type: issues, PRs, discussions) - - Items added to board this run (count and URLs, broken down by: tracker-labeled vs worker-created) - - Items updated on board this run (count and status changes) - - Items with fields populated this run (count and which fields, e.g., worker_workflow) - - Items skipped due to governance limits (count, type, and why - noting they will be added in next run) + - Items processed with update-project this run (count and URLs, broken down by: tracker-labeled vs worker-created) + - Items skipped due to governance limits (count, type, and why - noting they will be processed in next run) - Current campaign metrics: open vs closed, progress percentage - - Any failures encountered during writes + - Any failures encountered during update-project operations - Campaign completion status ### Predefined Project Fields @@ -798,12 +795,14 @@ jobs: ### Idempotency Guarantee - All operations must be idempotent: - - Adding an item (issue/PR/discussion) already on the board → No-op (do not duplicate) - - Updating a status that matches current value → No-op (no change recorded) + **The update-project tool handles idempotency automatically.** You MUST send update-project requests for ALL discovered items. The tool will: + - Adding an item already on the board → Skips the add operation, but still updates fields (handled by tool) + - Updating a status that matches current value → No-op (handled by tool) - Marking a completed campaign as completed → No-op (terminal state preserved) - Re-running the orchestrator produces consistent results regardless of how many times it executes. + **CRITICAL**: Do NOT try to implement idempotency in your orchestrator logic by checking if items are already on the board before sending requests. This causes synchronization bugs where items are discovered but not processed. Always send ALL discovered items to update-project and let the tool handle duplicate detection. + + Re-running the orchestrator produces consistent results regardless of how many times it executes, because the update-project tool is idempotent. ### Project Board Integration @@ -823,6 +822,12 @@ jobs: content_type: "issue" # or "pull_request" content_number: 123 # Extract number from URL like https://github.com/owner/repo/issues/123 campaign_id: "CAMPAIGN_ID" # Required: extract from tracker label campaign:go-file-size-reduction-project64 + PROMPT_EOF + - name: Append prompt (part 2) + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: | + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" fields: status: "Todo" # or "Done" if issue/PR is already closed/merged ``` @@ -842,12 +847,6 @@ jobs: ``` update-project: project: "https://github.com/orgs/githubnext/projects/64" - PROMPT_EOF - - name: Append prompt (part 2) - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" content_type: "issue" # or "pull_request" content_number: 123 # Extract from URL fields: diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index a4dcf0c0b8e..f7bc68af9a3 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -337,8 +337,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 0190fab11ab..1cbaaf06d3f 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -327,8 +327,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index c4a51979bc4..bbb21761db1 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -410,8 +410,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index c6f450514ef..789a1612668 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -345,8 +345,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/human-ai-collaboration.lock.yml b/.github/workflows/human-ai-collaboration.lock.yml index 7ffccd239d9..8d8e3c5e390 100644 --- a/.github/workflows/human-ai-collaboration.lock.yml +++ b/.github/workflows/human-ai-collaboration.lock.yml @@ -335,8 +335,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/incident-response.lock.yml b/.github/workflows/incident-response.lock.yml index 0a81a3e0967..3089812a6ef 100644 --- a/.github/workflows/incident-response.lock.yml +++ b/.github/workflows/incident-response.lock.yml @@ -487,8 +487,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index fd5772d2457..ca295c6351f 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -321,8 +321,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/intelligence.lock.yml b/.github/workflows/intelligence.lock.yml index 4fc2e7e1414..3503c67de30 100644 --- a/.github/workflows/intelligence.lock.yml +++ b/.github/workflows/intelligence.lock.yml @@ -411,11 +411,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index c4ac12977ba..04e6ed1e8d3 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -425,8 +425,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/config.toml << EOF diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml index f23f7c834d4..1e60e0f9c64 100644 --- a/.github/workflows/issue-classifier.lock.yml +++ b/.github/workflows/issue-classifier.lock.yml @@ -300,8 +300,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 9813d740aca..323a1db6a06 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -337,8 +337,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/issue-template-optimizer.lock.yml b/.github/workflows/issue-template-optimizer.lock.yml index 503d0e0c457..bfa82371710 100644 --- a/.github/workflows/issue-template-optimizer.lock.yml +++ b/.github/workflows/issue-template-optimizer.lock.yml @@ -327,8 +327,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 178de0cb852..b2d591c7f59 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -306,8 +306,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 6a8961e2af9..8b6ebb99b44 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -341,8 +341,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 8e150e3c31f..acd2c5e6a50 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -317,8 +317,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 5110bb2b958..b7d39b6a6c4 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -315,8 +315,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 63d475051c2..d8356e8663e 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -401,8 +401,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index c14ca118629..e91394022d7 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -325,8 +325,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index ed246d5780c..46a00e90628 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -276,8 +276,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 21aafc86fc0..712980e0a42 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -373,11 +373,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/org-wide-rollout.lock.yml b/.github/workflows/org-wide-rollout.lock.yml index 3005d8b4fa2..676cd717d01 100644 --- a/.github/workflows/org-wide-rollout.lock.yml +++ b/.github/workflows/org-wide-rollout.lock.yml @@ -494,8 +494,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index eec2c5e1f0f..feebf0c8266 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -361,8 +361,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 7434879dccb..f15526c3da9 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -420,8 +420,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/playground-org-project-update-issue.lock.yml b/.github/workflows/playground-org-project-update-issue.lock.yml index 0d454e87830..c3adf55edba 100644 --- a/.github/workflows/playground-org-project-update-issue.lock.yml +++ b/.github/workflows/playground-org-project-update-issue.lock.yml @@ -339,8 +339,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.TEST_ORG_PROJECT_WRITE }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.TEST_ORG_PROJECT_WRITE }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/playground-snapshots-refresh.lock.yml b/.github/workflows/playground-snapshots-refresh.lock.yml index 4162d60eed5..ebae02b855d 100644 --- a/.github/workflows/playground-snapshots-refresh.lock.yml +++ b/.github/workflows/playground-snapshots-refresh.lock.yml @@ -330,8 +330,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index a27f5c4cd3f..af0ae7b23c0 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -871,11 +871,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 5c4aa5d9d12..8bf418e5f79 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -401,11 +401,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 38d32672d82..516f855cdf4 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -481,8 +481,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index c8bde4b5b13..3c533fdfb50 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -389,8 +389,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 649a34cd800..eda3ba53462 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -386,11 +386,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index b50dc086675..44d7dfccf37 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -454,8 +454,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index a16137ae745..64482023dfc 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -320,8 +320,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 5c0aab5bd5d..d0b446b19bd 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -309,8 +309,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index c04d1aa1e34..555f9bf80e3 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -335,8 +335,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index dd63ae3bc19..93e6b6cc65e 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -312,8 +312,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index bd5d46267c4..53c83ba2ec1 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -341,8 +341,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 7cd85adc8d1..99653286063 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -317,8 +317,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index ae9c41a2d57..78490387661 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -384,8 +384,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 52b0dc2ffbb..0a0b6b6c564 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -340,8 +340,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index a8a50e0cce1..c3b6d700fb9 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -329,8 +329,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index b152b84f613..48813796014 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -363,8 +363,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index ed6682bef1f..6def135ff91 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -344,8 +344,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 0f691ef4a89..90d12b353e6 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -449,8 +449,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/smoke-codex-firewall.lock.yml b/.github/workflows/smoke-codex-firewall.lock.yml index 659e185918e..cd0d08be158 100644 --- a/.github/workflows/smoke-codex-firewall.lock.yml +++ b/.github/workflows/smoke-codex-firewall.lock.yml @@ -450,8 +450,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/config.toml << EOF diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 9cb0f979687..5d96849b130 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -473,8 +473,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/config.toml << EOF diff --git a/.github/workflows/smoke-copilot-playwright.lock.yml b/.github/workflows/smoke-copilot-playwright.lock.yml index f3bf957b1de..db9649df512 100644 --- a/.github/workflows/smoke-copilot-playwright.lock.yml +++ b/.github/workflows/smoke-copilot-playwright.lock.yml @@ -549,12 +549,12 @@ jobs: - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} - GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} + GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_DEBUG: 1 + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/smoke-copilot-safe-inputs.lock.yml b/.github/workflows/smoke-copilot-safe-inputs.lock.yml index 7caf6e5e42f..4f3e23cdc30 100644 --- a/.github/workflows/smoke-copilot-safe-inputs.lock.yml +++ b/.github/workflows/smoke-copilot-safe-inputs.lock.yml @@ -440,10 +440,10 @@ jobs: - name: Setup MCPs env: - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} - GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} + GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_DEBUG: 1 run: | mkdir -p /tmp/gh-aw/mcp-config diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 4a8c0677d3e..8762a9b1c92 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -438,8 +438,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml index 47b1f280c85..a3e8e5a6464 100644 --- a/.github/workflows/smoke-detector.lock.yml +++ b/.github/workflows/smoke-detector.lock.yml @@ -434,8 +434,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/smoke-srt.lock.yml b/.github/workflows/smoke-srt.lock.yml index cb897e7eb5f..96b7bfd2ac4 100644 --- a/.github/workflows/smoke-srt.lock.yml +++ b/.github/workflows/smoke-srt.lock.yml @@ -266,8 +266,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/spec-kit-execute.lock.yml b/.github/workflows/spec-kit-execute.lock.yml index 692c3fd6e6e..74e688869e5 100644 --- a/.github/workflows/spec-kit-execute.lock.yml +++ b/.github/workflows/spec-kit-execute.lock.yml @@ -332,8 +332,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/spec-kit-executor.lock.yml b/.github/workflows/spec-kit-executor.lock.yml index 0249eea7278..f76462efec8 100644 --- a/.github/workflows/spec-kit-executor.lock.yml +++ b/.github/workflows/spec-kit-executor.lock.yml @@ -335,8 +335,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/speckit-dispatcher.lock.yml b/.github/workflows/speckit-dispatcher.lock.yml index ecddd6ca4a4..baa7b09a608 100644 --- a/.github/workflows/speckit-dispatcher.lock.yml +++ b/.github/workflows/speckit-dispatcher.lock.yml @@ -463,8 +463,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 67c728f089e..2f298001afa 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -436,11 +436,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index fcf59ef69ab..a2d91e34b86 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -340,8 +340,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 6863b45be9f..4e425468e43 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -346,8 +346,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 1e18e4690ab..c1abb42e89f 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -350,8 +350,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 532dcd051f2..bec10dbf979 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -416,11 +416,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index c8a55f10756..db11fff00e3 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -313,8 +313,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index e659c0c1278..6a972ecb5cc 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -410,8 +410,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 5b75d75ab73..9ce20550d07 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -315,8 +315,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 3d04bfe90c0..60ed698ca8c 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -432,11 +432,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index ff2951530c0..d6c02fd1544 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -340,8 +340,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 1e058b297a4..405762d404a 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -353,11 +353,11 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index fa35abfbe96..fc37e6b9bfd 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -363,8 +363,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 771d2b30e21..6b4c5f3651e 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -434,8 +434,8 @@ jobs: EOF - name: Setup MCPs env: - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | mkdir -p /tmp/gh-aw/mcp-config mkdir -p /home/runner/.copilot From 70c3367d4d367758d4d081e544b686c3c9a370dc Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 2 Jan 2026 21:07:59 +0000 Subject: [PATCH 5/5] Add changeset [skip-ci] --- .changeset/patch-pass-mcp-env-vars-to-gateway.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .changeset/patch-pass-mcp-env-vars-to-gateway.md diff --git a/.changeset/patch-pass-mcp-env-vars-to-gateway.md b/.changeset/patch-pass-mcp-env-vars-to-gateway.md new file mode 100644 index 00000000000..9462f8a54ea --- /dev/null +++ b/.changeset/patch-pass-mcp-env-vars-to-gateway.md @@ -0,0 +1,10 @@ +--- +"gh-aw": patch +--- + +Pass MCP environment variables through to the MCP gateway (awmg) so the gateway process has access to the same secrets and env vars configured in the "Setup MCPs" step. This centralizes env var collection and updates gateway step generation and tests. + +Files changed (PR #8677): +- pkg/workflow/mcp_servers.go +- pkg/workflow/gateway.go +- pkg/workflow/gateway_test.go